Total
6 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0681 | 1 Rapid7 | 1 Insightvm | 2023-12-10 | N/A | 6.1 MEDIUM |
| Rapid7 InsightVM versions 6.6.178 and lower suffers from an open redirect vulnerability, whereby an attacker has the ability to redirect the user to a site of the attacker’s choice using the ‘page’ parameter of the ‘data/console/redirect’ component of the application. This issue was resolved in the February, 2023 release of version 6.6.179. | |||||
| CVE-2021-3844 | 1 Rapid7 | 1 Insightvm | 2023-12-10 | N/A | 5.4 MEDIUM |
| Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. This vulnerability is mitigated by the use of the Platform Login feature. This issue is related to CVE-2019-5638. | |||||
| CVE-2017-5242 | 1 Rapid7 | 1 Insightvm | 2023-12-10 | N/A | 7.7 HIGH |
| Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots. | |||||
| CVE-2022-4261 | 1 Rapid7 | 2 Insightvm, Nexpose | 2023-12-10 | N/A | 6.5 MEDIUM |
| Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself. | |||||
| CVE-2019-5641 | 1 Rapid7 | 1 Insightvm | 2023-12-10 | N/A | 5.3 MEDIUM |
| Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user | |||||
| CVE-2019-5615 | 1 Rapid7 | 1 Insightvm | 2023-12-10 | 3.5 LOW | 6.5 MEDIUM |
| Users with Site-level permissions can access files containing the username-encrypted passwords of Security Console Global Administrators and clear-text passwords for restoring backups, as well as the salt for those passwords. Valid credentials are required to access these files and malicious users would still need to perform additional work to decrypt the credentials and escalate privileges. This issue affects: Rapid7 InsightVM versions 6.5.11 through 6.5.49. | |||||