Vulnerabilities > Rapid7
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-29 | CVE-2022-35630 | Cross-site Scripting vulnerability in Rapid7 Velociraptor A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file. | 6.1 |
| 2022-07-29 | CVE-2022-35631 | Link Following vulnerability in Rapid7 Velociraptor On MacOS and Linux, it may be possible to perform a symlink attack by replacing this predictable file name with a symlink to another file and have the Velociraptor client overwrite the other file. | 5.5 |
| 2022-07-29 | CVE-2022-35632 | Cross-site Scripting vulnerability in Rapid7 Velociraptor The Velociraptor GUI contains an editor suggestion feature that can display the description field of a VQL function, plugin or artifact. | 4.8 |
| 2022-03-17 | CVE-2022-0237 | Unquoted Search Path or Element vulnerability in Rapid7 Insight Agent Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to the machine. | 7.8 |
| 2022-03-17 | CVE-2022-0757 | SQL Injection vulnerability in Rapid7 Nexpose Rapid7 Nexpose versions 6.6.93 and earlier are susceptible to an SQL Injection vulnerability, whereby valid search operators are not defined. | 8.8 |
| 2022-03-17 | CVE-2022-0758 | Cross-site Scripting vulnerability in Rapid7 Nexpose Rapid7 Nexpose versions 6.6.129 and earlier suffer from a reflected cross site scripting vulnerability, within the shared scan configuration component of the tool. | 6.1 |
| 2022-01-21 | CVE-2021-4016 | Unspecified vulnerability in Rapid7 Insight Agent Rapid7 Insight Agent, versions prior to 3.1.3, suffer from an improper access control vulnerability whereby, the user has access to the snapshot directory. | 3.3 |
| 2021-12-14 | CVE-2021-4007 | Uncontrolled Search Path Element vulnerability in Rapid7 Insight Agent Rapid7 Insight Agent, versions 3.0.1 to 3.1.2.34, suffer from a local privilege escalation due to an uncontrolled DLL search path. | 7.8 |
| 2021-11-22 | CVE-2019-5640 | Information Exposure vulnerability in Rapid7 Nexpose Rapid7 Nexpose versions prior to 6.6.114 suffer from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the inspect element browser feature to remove the login panel and view the details available in the last webpage visited by previous user | 5.3 |
| 2021-08-19 | CVE-2021-31868 | Missing Authentication for Critical Function vulnerability in Rapid7 Nexpose Rapid7 Nexpose version 6.6.95 and earlier allows authenticated users of the Security Console to view and edit any ticket in the legacy ticketing feature, regardless of the assignment of the ticket. | 5.4 |