Vulnerabilities > Rapid7

DATE CVE VULNERABILITY TITLE RISK
2020-09-03 CVE-2020-7381 Code Injection vulnerability in Rapid7 Nexpose
In Rapid7 Nexpose installer versions prior to 6.6.40, the Nexpose installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine.
network
rapid7 CWE-94
6.8
2020-09-01 CVE-2019-5645 Resource Exhaustion vulnerability in Rapid7 Metasploit
By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression.
network
low complexity
rapid7 CWE-400
5.0
2020-08-24 CVE-2020-7377 Path Traversal vulnerability in Rapid7 Metasploit
The Metasploit Framework module "auxiliary/admin/http/telpho10_credential_dump" module is affected by a relative path traversal vulnerability in the untar method which can be exploited to write arbitrary files to arbitrary locations on the host file system when the module is run on a malicious HTTP server.
network
low complexity
rapid7 CWE-22
5.0
2020-08-24 CVE-2020-7376 Path Traversal vulnerability in Rapid7 Metasploit
The Metasploit Framework module "post/osx/gather/enum_osx module" is affected by a relative path traversal vulnerability in the get_keychains method which can be exploited to write arbitrary files to arbitrary locations on the host filesystem when the module is run on a malicious host.
network
low complexity
rapid7 CWE-22
critical
10.0
2020-06-25 CVE-2020-7355 Cross-site Scripting vulnerability in Rapid7 Metasploit
Cross-site Scripting (XSS) vulnerability in the 'notes' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface.
network
rapid7 CWE-79
4.3
2020-06-25 CVE-2020-7354 Cross-site Scripting vulnerability in Rapid7 Metasploit
Cross-site Scripting (XSS) vulnerability in the 'host' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target to store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface.
network
rapid7 CWE-79
4.3
2020-04-22 CVE-2020-7350 OS Command Injection vulnerability in Rapid7 Metasploit
Rapid7 Metasploit Framework versions before 5.0.85 suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify plugin accepts untrusted user-supplied data via a remote computer's hostname or service name.
network
rapid7 CWE-78
6.8
2020-01-25 CVE-2012-6494 Cross-site Scripting vulnerability in Rapid7 Nexpose
Rapid7 Nexpose before 5.5.4 contains a session hijacking vulnerability which allows remote attackers to capture a user's session and gain unauthorized access.
network
rapid7 CWE-79
4.3
2020-01-22 CVE-2019-5647 Insufficient Session Expiration vulnerability in Rapid7 Appspider
The Chrome Plugin for Rapid7 AppSpider can incorrectly keep browser sessions active after recording a macro, even after a restart of the Chrome browser.
local
low complexity
rapid7 CWE-613
3.6
2019-11-06 CVE-2019-5642 Incorrect Permission Assignment for Critical Resource vulnerability in Rapid7 Metasploit 4.15.0/4.15.1/4.16.0
Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions.
local
low complexity
rapid7 CWE-732
2.1