Page 2 of 17 results (0.002 seconds)

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

Rapid7 Nexpose version 6.6.95 and earlier allows authenticated users of the Security Console to view and edit any ticket in the legacy ticketing feature, regardless of the assignment of the ticket. This issue was resolved in version 6.6.96, released on August 4, 2021. Rapid7 Nexpose versiones 6.6.95 y anteriores, permiten a usuarios autenticados de la Consola de Seguridad visualizar y editar cualquier ticket en la funcionalidad legacy ticketing, independientemente de la asignación del ticket. Este problema fue resuelto en versión 6.6.96, publicada el 4 de agosto de 2021. • https://docs.rapid7.com/release-notes/nexpose/20210804 • CWE-306: Missing Authentication for Critical Function •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. This issue affects version 6.6.80 and prior, and is fixed in 6.6.81. If your Security Console currently falls on or within this affected version range, ensure that you update your Security Console to the latest version. Rapid7 Nexpose es suceptible a una vulnerabilidad de tipo cross-site scripting no persistente que afecta a la funcionalidad Filtered Asset Search de Security Console. • https://docs.rapid7.com/release-notes/nexpose/20210505 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

A SQL Injection issue in Rapid7 Nexpose version prior to 6.6.49 that may have allowed an authenticated user with a low permission level to access resources & make changes they should not have been able to access. Un problema de inyección SQL en Rapid7 Nexpose versiones anteriores a 6.6.49, que puede haber permitido a un usuario autenticado con un nivel de permiso bajo acceder a recursos y realizar cambios a los que no debería haber sido capaz de acceder • https://help.rapid7.com/insightvm/en-us/release-notes/index.html?pid=6.6.49 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0

Rapid7 Nexpose installer version prior to 6.6.40 contains an Unquoted Search Path which may allow an attacker on the local machine to insert an arbitrary file into the executable path. This issue affects: Rapid7 Nexpose versions prior to 6.6.40. El instalador de Rapid7 Nexpose versiones anteriores a 6.6.40, contiene una Ruta de Búsqueda Sin Comillas que puede permitir a un atacante en la máquina local insertar un archivo arbitrario en la ruta ejecutable. Este problema afecta a: Rapid7 Nexpose versiones anteriores a 6.6.40 • https://help.rapid7.com/insightvm/en-us/release-notes/index.html?pid=6.6.40 • CWE-428: Unquoted Search Path or Element •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

In Rapid7 Nexpose installer versions prior to 6.6.40, the Nexpose installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine. This would prevent the installer from distinguishing between a valid executable called during a Security Console installation and any arbitrary code executable using the same file name. En el instalador de Rapid7 Nexpose versiones anteriores a 6.6.40, el instalador de Nexpose llama un ejecutable que puede ser colocado por un atacante en el directorio apropiado con acceso a la máquina local. Esto impediría que el instalador distinga entre un ejecutable válido llamado durante una instalación de Security Console y cualquier código arbitrario ejecutable usando el mismo nombre de archivo • https://help.rapid7.com/insightvm/en-us/release-notes/index.html?pid=6.6.40 • CWE-94: Improper Control of Generation of Code ('Code Injection') •