Search criteria
2 vulnerabilities found for Nexpose/InsightVM Security Console by Rapid7
CVE-2019-5630 (GCVE-0-2019-5630)
Vulnerability from nvd – Published: 2019-07-03 17:00 – Updated: 2024-08-04 20:01
VLAI?
Title
Rapid7 Nexpose/InsightVM Security Console CSRF
Summary
A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request.
Severity ?
5.9 (Medium)
CWE
- Cross-Site Request Forgery
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Nexpose/InsightVM Security Console |
Affected:
6.5.0 through 6.5.68
|
Credits
Thanks to Rodney Beede of Rackspace (https://www.rodneybeede.com/) for finding this issue and reporting it to Rapid7. It is being disclosed in accordance Rapid7's vulnerability disclosure policy (https://www.rapid7.com/disclosure/).
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:51.880Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://help.rapid7.com/nexpose/en-us/release-notes#6.5.69"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nexpose/InsightVM Security Console",
"vendor": "Rapid7",
"versions": [
{
"status": "affected",
"version": "6.5.0 through 6.5.68"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Rodney Beede of Rackspace (https://www.rodneybeede.com/) for finding this issue and reporting it to Rapid7. It is being disclosed in accordance Rapid7\u0027s vulnerability disclosure policy (https://www.rapid7.com/disclosure/).\n"
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request."
}
],
"exploits": [
{
"lang": "en",
"value": "In order to exploit this vulnerability, an attacker would have had to create and host a vulnerable .swf file on their own web server and have the user visit the page that hosts this file. Once the user visits this page, the .swf would run in-browser and cause a 307 redirect, which in turn would direct the victim to the API endpoint and make the CSRF request."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-03T17:00:55",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://help.rapid7.com/nexpose/en-us/release-notes#6.5.69"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue minimally affects Security Console versions 6.5.0 through 6.5.68. If your Security Console currently falls on or within this affected version range, ensure that you update your Security Console to 6.5.69 (or later if available)."
}
],
"source": {
"advisory": "R7-2019-17",
"discovery": "USER"
},
"title": "Rapid7 Nexpose/InsightVM Security Console CSRF",
"x_generator": {
"engine": "Vulnogram 0.0.7"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"ID": "CVE-2019-5630",
"STATE": "PUBLIC",
"TITLE": "Rapid7 Nexpose/InsightVM Security Console CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nexpose/InsightVM Security Console",
"version": {
"version_data": [
{
"version_value": "6.5.0 through 6.5.68"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Rodney Beede of Rackspace (https://www.rodneybeede.com/) for finding this issue and reporting it to Rapid7. It is being disclosed in accordance Rapid7\u0027s vulnerability disclosure policy (https://www.rapid7.com/disclosure/).\n"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request."
}
]
},
"exploit": [
{
"lang": "en",
"value": "In order to exploit this vulnerability, an attacker would have had to create and host a vulnerable .swf file on their own web server and have the user visit the page that hosts this file. Once the user visits this page, the .swf would run in-browser and cause a 307 redirect, which in turn would direct the victim to the API endpoint and make the CSRF request."
}
],
"generator": {
"engine": "Vulnogram 0.0.7"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://help.rapid7.com/nexpose/en-us/release-notes#6.5.69",
"refsource": "CONFIRM",
"url": "https://help.rapid7.com/nexpose/en-us/release-notes#6.5.69"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue minimally affects Security Console versions 6.5.0 through 6.5.68. If your Security Console currently falls on or within this affected version range, ensure that you update your Security Console to 6.5.69 (or later if available)."
}
],
"source": {
"advisory": "R7-2019-17",
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2019-5630",
"datePublished": "2019-07-03T17:00:55",
"dateReserved": "2019-01-07T00:00:00",
"dateUpdated": "2024-08-04T20:01:51.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5630 (GCVE-0-2019-5630)
Vulnerability from cvelistv5 – Published: 2019-07-03 17:00 – Updated: 2024-08-04 20:01
VLAI?
Title
Rapid7 Nexpose/InsightVM Security Console CSRF
Summary
A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request.
Severity ?
5.9 (Medium)
CWE
- Cross-Site Request Forgery
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Nexpose/InsightVM Security Console |
Affected:
6.5.0 through 6.5.68
|
Credits
Thanks to Rodney Beede of Rackspace (https://www.rodneybeede.com/) for finding this issue and reporting it to Rapid7. It is being disclosed in accordance Rapid7's vulnerability disclosure policy (https://www.rapid7.com/disclosure/).
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:51.880Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://help.rapid7.com/nexpose/en-us/release-notes#6.5.69"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nexpose/InsightVM Security Console",
"vendor": "Rapid7",
"versions": [
{
"status": "affected",
"version": "6.5.0 through 6.5.68"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Rodney Beede of Rackspace (https://www.rodneybeede.com/) for finding this issue and reporting it to Rapid7. It is being disclosed in accordance Rapid7\u0027s vulnerability disclosure policy (https://www.rapid7.com/disclosure/).\n"
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request."
}
],
"exploits": [
{
"lang": "en",
"value": "In order to exploit this vulnerability, an attacker would have had to create and host a vulnerable .swf file on their own web server and have the user visit the page that hosts this file. Once the user visits this page, the .swf would run in-browser and cause a 307 redirect, which in turn would direct the victim to the API endpoint and make the CSRF request."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-03T17:00:55",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://help.rapid7.com/nexpose/en-us/release-notes#6.5.69"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue minimally affects Security Console versions 6.5.0 through 6.5.68. If your Security Console currently falls on or within this affected version range, ensure that you update your Security Console to 6.5.69 (or later if available)."
}
],
"source": {
"advisory": "R7-2019-17",
"discovery": "USER"
},
"title": "Rapid7 Nexpose/InsightVM Security Console CSRF",
"x_generator": {
"engine": "Vulnogram 0.0.7"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"ID": "CVE-2019-5630",
"STATE": "PUBLIC",
"TITLE": "Rapid7 Nexpose/InsightVM Security Console CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nexpose/InsightVM Security Console",
"version": {
"version_data": [
{
"version_value": "6.5.0 through 6.5.68"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Rodney Beede of Rackspace (https://www.rodneybeede.com/) for finding this issue and reporting it to Rapid7. It is being disclosed in accordance Rapid7\u0027s vulnerability disclosure policy (https://www.rapid7.com/disclosure/).\n"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request."
}
]
},
"exploit": [
{
"lang": "en",
"value": "In order to exploit this vulnerability, an attacker would have had to create and host a vulnerable .swf file on their own web server and have the user visit the page that hosts this file. Once the user visits this page, the .swf would run in-browser and cause a 307 redirect, which in turn would direct the victim to the API endpoint and make the CSRF request."
}
],
"generator": {
"engine": "Vulnogram 0.0.7"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://help.rapid7.com/nexpose/en-us/release-notes#6.5.69",
"refsource": "CONFIRM",
"url": "https://help.rapid7.com/nexpose/en-us/release-notes#6.5.69"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue minimally affects Security Console versions 6.5.0 through 6.5.68. If your Security Console currently falls on or within this affected version range, ensure that you update your Security Console to 6.5.69 (or later if available)."
}
],
"source": {
"advisory": "R7-2019-17",
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2019-5630",
"datePublished": "2019-07-03T17:00:55",
"dateReserved": "2019-01-07T00:00:00",
"dateUpdated": "2024-08-04T20:01:51.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}