Rapid7 Insightvm vulnerabilities
10 known vulnerabilities affecting rapid7/insightvm.
Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM7LOW1
Vulnerabilities
Page 1 of 1
CVE-2019-5638P3HIGHCVSS 8.7fixed in 6.5.502019-08-21
CVE-2019-5638 [HIGH] CWE-613 CVE-2019-5638: Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an adminis
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password
nvd
CVE-2022-4261P3MEDIUMCVSS 6.5fixed in 6.6.172≤ 6.6.1712022-12-08
CVE-2022-4261 [MEDIUM] CWE-494 CVE-2022-4261: Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity
Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering e
nvd
CVE-2019-5615P3MEDIUMCVSS 6.5≥ 6.5.11, ≤ 6.5.49≥ 6.5.49, ≤ 6.5.49+1 more2019-04-09
CVE-2019-5615 [MEDIUM] CWE-257 CVE-2019-5615: Users with Site-level permissions can access files containing the username-encrypted passwords of Se
Users with Site-level permissions can access files containing the username-encrypted passwords of Security Console Global Administrators and clear-text passwords for restoring backups, as well as the salt for those passwords. Valid credentials are required to access these files and malicious users would still need to perform additional work to decrypt
nvd
CVE-2017-5242P3HIGHCVSS 7.7≥ 2017-04-05, ≤ 2017-05-032023-01-12
CVE-2017-5242 [HIGH] CWE-321 CVE-2017-5242: Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contai
Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots.
nvd
CVE-2024-6504P4MEDIUMCVSS 5.3fixed in 6.6.2612024-07-18
CVE-2024-6504 [MEDIUM] CWE-770 CVE-2024-6504: Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby a
Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by sending repeated invalid REST requests in a short timeframe, to the Console's port 443 causing the console to enter an exception handling logging loop, exhausti
nvd
CVE-2022-3913P4MEDIUMCVSS 5.3≥ 6.6.82, < 6.6.1782023-02-01
CVE-2022-3913 [MEDIUM] CWE-295 CVE-2022-3913: Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177 fail to validate the certificate of the
Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177 fail to validate the certificate of the update server when downloading updates. This failure could allow an attacker in a privileged position on the network to provide their own HTTPS endpoint, or intercept communications to the legitimate endpoint. The attacker would need some pre-existing
nvd
CVE-2021-3844P4MEDIUMCVSS 5.4fixed in 6.5.502023-03-24
CVE-2021-3844 [MEDIUM] CVE-2021-3844: Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a secur
Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing
nvd
CVE-2019-5641P4MEDIUMCVSS 5.3≤ 6.6.160≥ 6.6.160, ≤ 6.6.1602022-09-21
CVE-2019-5641 [MEDIUM] CWE-200 CVE-2019-5641: Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has end
Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user
nvd
CVE-2023-0681P4MEDIUMCVSS 6.1fixed in 6.6.1792023-03-20
CVE-2023-0681 [MEDIUM] CWE-601 CVE-2023-0681: Rapid7 InsightVM versions 6.6.178 and lower suffers from an open redirect vulnerability, whereby an
Rapid7 InsightVM versions 6.6.178 and lower suffers from an open redirect vulnerability, whereby an attacker has the ability to redirect the user to a site of the attacker’s choice using the ‘page’ parameter of the ‘data/console/redirect’ component of the application. This issue was resolved in the February, 2023 release of version 6.6.179.
nvd
CVE-2024-2745P4LOWCVSS 3.3fixed in 6.6.2442024-04-02
CVE-2024-2745 [LOW] CWE-598 CVE-2024-2745: Rapid7's InsightVM maintenance mode login page suffers from a sensitive information exposure vulnera
Rapid7's InsightVM maintenance mode login page suffers from a sensitive information exposure vulnerability whereby, sensitive information is exposed through query strings in the URL when login is attempted before the page is fully loaded. This vulnerability allows attackers to acquire sensitive information such as passwords, auth tokens, usernames etc.
nvd