CVE-2024-11401 – Rapid7 Insight Platform Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-11401
11 Dec 2024 — Rapid7 Insight Platform versions prior to November 13th 2024, suffer from a privilege escalation vulnerability whereby, due to a lack of authorization checks, an attacker can successfully update the password policy in the platform settings as a standard user by crafting an API (the functionality was not possible through the platform's User Interface). This vulnerability has been fixed as of November 13th 2024. • https://cwe.mitre.org/data/definitions/862.html • CWE-862: Missing Authorization •
CVE-2024-8042 – Rapid7 Insight Platform Unauthorized Empty Group Creation
https://notcve.org/view.php?id=CVE-2024-8042
09 Sep 2024 — Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024. • https://cwe.mitre.org/data/definitions/862.html • CWE-862: Missing Authorization •