CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1699 – Rapid7 Nexpose Forced Browsing
https://notcve.org/view.php?id=CVE-2023-1699
30 Mar 2023 — Rapid7 Nexpose versions 6.6.186 and below suffer from a forced browsing vulnerability. This vulnerability allows an attacker to manipulate URLs to forcefully browse to and access administrative pages. This vulnerability is fixed in version 6.6.187. • https://docs.rapid7.com/release-notes/nexpose/20230329 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3844 – Rapid7 InsightVM Insufficient Session Expiration
https://notcve.org/view.php?id=CVE-2021-3844
24 Mar 2023 — Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. This vulnerability is mitigated by the use... • https://docs.rapid7.com/insightvm/enable-insightvm-platform-login • CWE-613: Insufficient Session Expiration •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 1CVE-2023-1306 – Rapid7 InsightCloudSec resource.db() method access
https://notcve.org/view.php?id=CVE-2023-1306
21 Mar 2023 — An authenticated attacker can leverage an exposed resource.db() accessor method to smuggle Python method calls via a Jinja template, which can lead to code execution. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec. • https://docs.divvycloud.com/changelog/23321-release-notes • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 1CVE-2023-1305 – Rapid7 InsightCloudSec box object access
https://notcve.org/view.php?id=CVE-2023-1305
21 Mar 2023 — An authenticated attacker can leverage an exposed “box” object to read and write arbitrary files from disk, provided those files can be parsed as yaml or JSON. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec. • https://docs.divvycloud.com/changelog/23321-release-notes • CWE-653: Improper Isolation or Compartmentalization •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 1CVE-2023-1304 – Rapid7 InsightCloudSec getattr() method access
https://notcve.org/view.php?id=CVE-2023-1304
21 Mar 2023 — An authenticated attacker can leverage an exposed getattr() method via a Jinja template to smuggle OS commands and perform other actions that are normally expected to be private methods. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec. • https://docs.divvycloud.com/changelog/23321-release-notes • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0681 – Rapid7 Nexpose Uncontrolled URL Redirect
https://notcve.org/view.php?id=CVE-2023-0681
20 Mar 2023 — Rapid7 InsightVM versions 6.6.178 and lower suffers from an open redirect vulnerability, whereby an attacker has the ability to redirect the user to a site of the attacker’s choice using the ‘page’ parameter of the ‘data/console/redirect’ component of the application. This issue was resolved in the February, 2023 release of version 6.6.179. • https://docs.rapid7.com/release-notes/nexpose/20230208 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0599 – Rapid7 Metasploit Pro Stored XSS
https://notcve.org/view.php?id=CVE-2023-0599
01 Feb 2023 — Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator. • https://docs.rapid7.com/release-notes/metasploit/20230130 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3913 – Rapid7 Nexpose Certificate Validation Issue
https://notcve.org/view.php?id=CVE-2022-3913
01 Feb 2023 — Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177 fail to validate the certificate of the update server when downloading updates. This failure could allow an attacker in a privileged position on the network to provide their own HTTPS endpoint, or intercept communications to the legitimate endpoint. The attacker would need some pre-existing access to at least one node on the network path between the Rapid7-controlled update server and the Nexpose/InsightVM application, and the ability to either sp... • https://docs.rapid7.com/release-notes/nexpose/20230201 • CWE-295: Improper Certificate Validation •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0290 – Rapid7 Velociraptor directory traversal in client ID parameter
https://notcve.org/view.php?id=CVE-2023-0290
18 Jan 2023 — Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of "../clients/server" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client. Normally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to "adm... • https://github.com/Velocidex/velociraptor • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0242 – Insufficient permission check in the VQL copy() function
https://notcve.org/view.php?id=CVE-2023-0242
18 Jan 2023 — Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server. The VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor "investigator" role) to over... • https://docs.velociraptor.app/announcements/2023-cves/#:~:text=to%20upgrade%20clients.-,CVE%2D2023%2D0242,-Insufficient%20Permission%20Check • CWE-269: Improper Privilege Management CWE-862: Missing Authorization •