Vulnerabilities > Rapid7
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-01-22 | CVE-2019-5647 | Insufficient Session Expiration vulnerability in Rapid7 Appspider The Chrome Plugin for Rapid7 AppSpider can incorrectly keep browser sessions active after recording a macro, even after a restart of the Chrome browser. | 3.6 |
| 2019-11-06 | CVE-2019-5642 | Incorrect Permission Assignment for Critical Resource vulnerability in Rapid7 Metasploit 4.15.0/4.15.1/4.16.0 Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. | 2.1 |
| 2019-08-19 | CVE-2019-5631 | Untrusted Search Path vulnerability in Rapid7 Insightappsec The Rapid7 InsightAppSec broker suffers from a DLL injection vulnerability in the 'prunsrv.exe' component of the product. | 9.3 |
| 2019-07-13 | CVE-2019-5629 | Uncontrolled Search Path Element vulnerability in Rapid7 Insight Agent Rapid7 Insight Agent, version 2.6.3 and prior, suffers from a local privilege escalation due to an uncontrolled DLL search path. | 7.2 |
| 2019-07-03 | CVE-2019-5630 | Cross-Site Request Forgery (CSRF) vulnerability in Rapid7 Nexpose A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. | 6.8 |
| 2019-04-30 | CVE-2019-5624 | Path Traversal vulnerability in Rapid7 Metasploit Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in the Zip import function of Metasploit. | 7.3 |
| 2019-04-09 | CVE-2019-5615 | Insufficiently Protected Credentials vulnerability in Rapid7 Insightvm Users with Site-level permissions can access files containing the username-encrypted passwords of Security Console Global Administrators and clear-text passwords for restoring backups, as well as the salt for those passwords. | 3.5 |
| 2018-11-28 | CVE-2018-5559 | Cleartext Storage of Sensitive Information vulnerability in Rapid7 Komand In Rapid7 Komand version 0.41.0 and prior, certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring sensitive data from the API response sent over an encrypted channel. | 4.0 |
| 2017-12-14 | CVE-2017-5264 | Cross-Site Request Forgery (CSRF) vulnerability in Rapid7 Nexpose Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) attack. | 6.8 |
| 2017-10-06 | CVE-2017-15084 | Cross-Site Request Forgery (CSRF) vulnerability in Rapid7 Metasploit The web UI in Rapid7 Metasploit before 4.14.1-20170828 allows logout CSRF, aka R7-2017-22. | 4.3 |