8 results (0.001 seconds)

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by sending repeated invalid REST requests in a short timeframe, to the Console's port 443 causing the console to enter an exception handling logging loop, exhausting the CPU. There is no indication that an attacker can use this method to escalate privilege, acquire unauthorized access to data, or gain control of protected resources. This issue is fixed in version 6.6.261. Las versiones de Rapid7 InsightVM Console inferiores a 6.6.260 sufren una falla en el mecanismo de protección mediante el cual un atacante con acceso de red a InsightVM Console puede provocar que se sobrecargue o falle al enviar repetidas solicitudes REST no válidas en un corto período de tiempo al puerto 443 de la consola, lo que provoca que la consola se bloquee. para ingresar a un bucle de registro de manejo de excepciones, agotando la CPU. No hay indicios de que un atacante pueda utilizar este método para escalar privilegios, adquirir acceso no autorizado a datos u obtener control de recursos protegidos. • https://docs.rapid7.com/release-notes/insightvm/20240717 • CWE-693: Protection Mechanism Failure •

CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0

Rapid7's InsightVM maintenance mode login page suffers from a sensitive information exposure vulnerability whereby, sensitive information is exposed through query strings in the URL when login is attempted before the page is fully loaded.  This vulnerability allows attackers to acquire sensitive information such as passwords, auth tokens, usernames etc.     The vulnerability is remediated in version 6.6.244. La página de inicio de sesión en modo de mantenimiento InsightVM de Rapid7 sufre una vulnerabilidad de exposición de información confidencial por la cual, la información confidencial queda expuesta a través de cadenas de consulta en la URL cuando se intenta iniciar sesión antes de que la página esté completamente cargada. Esta vulnerabilidad permite a los atacantes adquirir información confidencial como contraseñas, tokens de autenticación, nombres de usuario, etc. • https://docs.rapid7.com/release-notes/insightvm/20240327 • CWE-598: Use of GET Request Method With Sensitive Query Strings •

CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0

Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. This vulnerability is mitigated by the use of the Platform Login feature. This issue is related to CVE-2019-5638. • https://docs.rapid7.com/insightvm/enable-insightvm-platform-login https://www.cve.org/cverecord?id=CVE-2019-5638 • CWE-613: Insufficient Session Expiration •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Rapid7 InsightVM versions 6.6.178 and lower suffers from an open redirect vulnerability, whereby an attacker has the ability to redirect the user to a site of the attacker’s choice using the ‘page’ parameter of the ‘data/console/redirect’ component of the application. This issue was resolved in the February, 2023 release of version 6.6.179. • https://docs.rapid7.com/release-notes/nexpose/20230208 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0

Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots. Los dispositivos virtuales Nexpose e InsightVM descargados entre el 5 de abril de 2017 y el 3 de mayo de 2017 contienen claves de host SSH idénticas. Normalmente, se debe generar una clave de host SSH única la primera vez que se inicia un dispositivo virtual. • https://www.rapid7.com/blog/post/2017/05/17/rapid7-nexpose-virtual-appliance-duplicate-ssh-host-key-cve-2017-5242 • CWE-321: Use of Hard-coded Cryptographic Key CWE-330: Use of Insufficiently Random Values •