Vulnerabilities > Rapid7 > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-29 | CVE-2020-7384 | Command Injection vulnerability in Rapid7 Metasploit Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine. | 7.8 |
| 2020-10-14 | CVE-2020-7383 | SQL Injection vulnerability in Rapid7 Nexpose A SQL Injection issue in Rapid7 Nexpose version prior to 6.6.49 that may have allowed an authenticated user with a low permission level to access resources & make changes they should not have been able to access. | 8.1 |
| 2020-09-03 | CVE-2020-7381 | Code Injection vulnerability in Rapid7 Nexpose In Rapid7 Nexpose installer versions prior to 6.6.40, the Nexpose installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine. | 7.8 |
| 2020-09-01 | CVE-2019-5645 | Resource Exhaustion vulnerability in Rapid7 Metasploit By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression. | 7.5 |
| 2020-08-24 | CVE-2020-7377 | Path Traversal vulnerability in Rapid7 Metasploit The Metasploit Framework module "auxiliary/admin/http/telpho10_credential_dump" module is affected by a relative path traversal vulnerability in the untar method which can be exploited to write arbitrary files to arbitrary locations on the host file system when the module is run on a malicious HTTP server. | 7.5 |
| 2020-04-22 | CVE-2020-7350 | OS Command Injection vulnerability in Rapid7 Metasploit Rapid7 Metasploit Framework versions before 5.0.85 suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify plugin accepts untrusted user-supplied data via a remote computer's hostname or service name. | 7.8 |
| 2020-01-22 | CVE-2019-5647 | Insufficient Session Expiration vulnerability in Rapid7 Appspider The Chrome Plugin for Rapid7 AppSpider can incorrectly keep browser sessions active after recording a macro, even after a restart of the Chrome browser. | 7.1 |
| 2019-08-19 | CVE-2019-5631 | Untrusted Search Path vulnerability in Rapid7 Insightappsec The Rapid7 InsightAppSec broker suffers from a DLL injection vulnerability in the 'prunsrv.exe' component of the product. | 7.8 |
| 2019-07-13 | CVE-2019-5629 | Uncontrolled Search Path Element vulnerability in Rapid7 Insight Agent Rapid7 Insight Agent, version 2.6.3 and prior, suffers from a local privilege escalation due to an uncontrolled DLL search path. | 7.8 |
| 2019-07-03 | CVE-2019-5630 | Cross-Site Request Forgery (CSRF) vulnerability in Rapid7 Nexpose A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. | 8.8 |