Posts tagged Vulnerability Disclosure

11 min Vulnerability Disclosure

CVE-2023-47218: QNAP QTS and QuTS Hero Unauthenticated Command Injection (FIXED)

Rapid7 has identified an unauthenticated command injection vulnerability in the QNAP operating system known as QTS, a core part of the firmware for numerous QNAP entry- and mid-level Network Attached Storage (NAS) devices.

1 min Velociraptor

CVE-2023-5950 Rapid7 Velociraptor Reflected XSS

This advisory covers a specific issue identified in Velociraptor and disclosed by a security code review. Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability.

8 min Vulnerability Disclosure

Multiple Vulnerabilities in South River Technologies Titan MFT and Titan SFTP [FIXED]

As part of our continuing research project into managed file transfer risk, including JSCAPE MFT and Fortra Globalscape EFT Server, Rapid7 discovered several vulnerabilities in South River Technologies’ Titan MFT and Titan SFTP servers.

4 min Vulnerability Disclosure

CVE-2023-4528: Java Deserialization Vulnerability in JSCAPE MFT (Fixed)

In August 2023, Rapid7 discovered CVE-2023-4528, a Java deserialization vulnerability in Redwood Software’s JSCAPE MFT secure managed file transfer product. Successful exploitation can run arbitrary Java code as the `root` on Linux or the `SYSTEM` user on Windows.

6 min Vulnerability Disclosure

CVE-2023-35082 - MobileIron Core Unauthenticated API Access Vulnerability

Rapid7 discovered a new vulnerability that allows unauthenticated attackers to access the API in unsupported versions of MobileIron Core (11.2 and below).

5 min Vulnerability Disclosure

CVE-2023-38205: Adobe ColdFusion Access Control Bypass [FIXED]

Rapid7 discovered that the initial patch for CVE-2023-29298 (Adobe ColdFusion access control bypass vulnerability) did not successfully remediate the issue.

7 min Vulnerability Disclosure

CVE-2023-29298: Adobe ColdFusion Access Control Bypass

Rapid7 discovered an access control bypass vulnerability affecting Adobe ColdFusion that allows an attacker to access the administration endpoints.

22 min Vulnerability Disclosure

Multiple Vulnerabilities in Fortra Globalscape EFT Administration Server [FIXED]

Rapid7 has uncovered four issues in Fortra Globalscape EFT, the worst of which can lead to remote code execution.

4 min Vulnerability Disclosure

Raptor Technologies Volunteer Management Client-Side Security Controls (FIXED)

A vulnerability in Raptor Technology Volunteer Management for Schools is being disclosed in accordance with Rapid7’s vulnerability disclosure policy.

33 min Vulnerability Disclosure

Multiple Vulnerabilities in Rocket Software UniRPC server (Fixed)

In early 2023, Rapid7 discovered several vulnerabilities in Rocket Software UniData UniRPC. We worked with the company to fix issues and coordinate this disclosure.

7 min Vulnerability Disclosure

CVE-2023-0391: MGT-COMMERCE CloudPanel Shared Certificate Vulnerability and Weak Installation Procedures

Rapid7 has discovered three security concerns in CloudPanel from MGT-COMMERCE, a self-hosted web administration solution.

4 min Vulnerability Disclosure

Microsoft Defender for Cloud Management Port Exposure Confusion

Microsoft Defender for Cloud, until recently, didn't distinguish "" as a synonym for "any" when checking for management port exposures for Azure instances.

13 min Vulnerability Disclosure

Multiple DMS XSS (CVE-2022-47412 through CVE-20222-47419)

Rapid7 has discovered, and is now disclosing, eight XSS issues affecting four on-premises document management systems. As of this disclosure, none have patches available.

5 min Vulnerability Disclosure

CVE-2023-22374: F5 BIG-IP Format String Vulnerability

Rapid7 found an additional vulnerability in the appliance-mode REST interface. We reported it to F5 and are now disclosing it in accordance with our vulnerability disclosure policy.

5 min Vulnerability Disclosure

Refreshing Rapid7's Coordinated Vulnerability Disclosure Policy

Rapid7 has updated its coordinated vulnerability disclosure (CVD) policy and philosophy. In this article, you'll learn what prompted the changes.