Vulnerabilities > Rapid7
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-25 | CVE-2020-7355 | Cross-site Scripting vulnerability in Rapid7 Metasploit Cross-site Scripting (XSS) vulnerability in the 'notes' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface. | 6.1 |
| 2020-06-25 | CVE-2020-7354 | Cross-site Scripting vulnerability in Rapid7 Metasploit Cross-site Scripting (XSS) vulnerability in the 'host' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target to store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface. | 5.4 |
| 2020-04-22 | CVE-2020-7350 | OS Command Injection vulnerability in Rapid7 Metasploit Rapid7 Metasploit Framework versions before 5.0.85 suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify plugin accepts untrusted user-supplied data via a remote computer's hostname or service name. | 7.8 |
| 2020-01-25 | CVE-2012-6494 | Cross-site Scripting vulnerability in Rapid7 Nexpose Rapid7 Nexpose before 5.5.4 contains a session hijacking vulnerability which allows remote attackers to capture a user's session and gain unauthorized access. | 6.1 |
| 2020-01-22 | CVE-2019-5647 | Insufficient Session Expiration vulnerability in Rapid7 Appspider The Chrome Plugin for Rapid7 AppSpider can incorrectly keep browser sessions active after recording a macro, even after a restart of the Chrome browser. | 7.1 |
| 2019-11-06 | CVE-2019-5642 | Incorrect Permission Assignment for Critical Resource vulnerability in Rapid7 Metasploit 4.15.0/4.15.1/4.16.0 Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. | 3.3 |
| 2019-08-19 | CVE-2019-5631 | Untrusted Search Path vulnerability in Rapid7 Insightappsec The Rapid7 InsightAppSec broker suffers from a DLL injection vulnerability in the 'prunsrv.exe' component of the product. | 7.8 |
| 2019-07-13 | CVE-2019-5629 | Uncontrolled Search Path Element vulnerability in Rapid7 Insight Agent Rapid7 Insight Agent, version 2.6.3 and prior, suffers from a local privilege escalation due to an uncontrolled DLL search path. | 7.8 |
| 2019-07-03 | CVE-2019-5630 | Cross-Site Request Forgery (CSRF) vulnerability in Rapid7 Nexpose A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. | 8.8 |
| 2019-04-30 | CVE-2019-5624 | Path Traversal vulnerability in Rapid7 Metasploit Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in the Zip import function of Metasploit. | 7.3 |