First published: Wed Jul 03 2019(Updated: )
A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request.
Credit: cve@rapid7.con
Affected Software | Affected Version | How to fix |
---|---|---|
Rapid7 Nexpose | >=6.5.0<=6.5.68 |
This issue minimally affects Security Console versions 6.5.0 through 6.5.68. If your Security Console currently falls on or within this affected version range, ensure that you update your Security Console to 6.5.69 (or later if available).
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this CSRF vulnerability is CVE-2019-5630.
The affected software is Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68.
This vulnerability has a severity rating of 8.8 (high).
Attackers can exploit this CSRF vulnerability by using Flash to circumvent a cross-domain pre-flight OPTIONS request on API endpoints.
Yes, a fix is available for this vulnerability. Users should update to Rapid7 Nexpose InsightVM Security Console version 6.5.69 or later.