Vulnerabilities > Rapid7

DATE CVE VULNERABILITY TITLE RISK
2019-08-21 CVE-2019-5638 Insufficient Session Expiration vulnerability in Rapid7 Nexpose
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user.
network
low complexity
rapid7 CWE-613
8.8
2019-08-19 CVE-2019-5631 Untrusted Search Path vulnerability in Rapid7 Insightappsec
The Rapid7 InsightAppSec broker suffers from a DLL injection vulnerability in the 'prunsrv.exe' component of the product.
network
rapid7 CWE-426
critical
9.3
2019-07-13 CVE-2019-5629 Uncontrolled Search Path Element vulnerability in Rapid7 Insight Agent
Rapid7 Insight Agent, version 2.6.3 and prior, suffers from a local privilege escalation due to an uncontrolled DLL search path.
local
low complexity
rapid7 CWE-427
7.2
2019-07-03 CVE-2019-5630 Cross-Site Request Forgery (CSRF) vulnerability in Rapid7 Nexpose
A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68.
network
rapid7 CWE-352
6.8
2019-04-30 CVE-2019-5624 Path Traversal vulnerability in Rapid7 Metasploit
Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in the Zip import function of Metasploit.
local
low complexity
rapid7 CWE-22
7.3
2019-04-09 CVE-2019-5615 Insufficiently Protected Credentials vulnerability in Rapid7 Insightvm
Users with Site-level permissions can access files containing the username-encrypted passwords of Security Console Global Administrators and clear-text passwords for restoring backups, as well as the salt for those passwords.
network
rapid7 CWE-522
3.5
2018-11-28 CVE-2018-5559 Cleartext Storage of Sensitive Information vulnerability in Rapid7 Komand
In Rapid7 Komand version 0.41.0 and prior, certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring sensitive data from the API response sent over an encrypted channel.
network
low complexity
rapid7 CWE-312
4.0
2017-12-14 CVE-2017-5264 Cross-Site Request Forgery (CSRF) vulnerability in Rapid7 Nexpose
Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) attack.
network
rapid7 CWE-352
6.8
2017-10-06 CVE-2017-15084 Cross-Site Request Forgery (CSRF) vulnerability in Rapid7 Metasploit
The web UI in Rapid7 Metasploit before 4.14.1-20170828 allows logout CSRF, aka R7-2017-22.
network
rapid7 CWE-352
4.3
2017-06-15 CVE-2017-5244 Cross-Site Request Forgery (CSRF) vulnerability in Rapid7 Metasploit 4.13.0/4.13.1/4.13.19
Routes used to stop running Metasploit tasks (either particular ones or all tasks) allowed GET requests.
network
rapid7 CWE-352
3.5