5 min
Vulnerability Disclosure
Refreshing Rapid7's Coordinated Vulnerability Disclosure Policy
Rapid7 has updated its coordinated vulnerability disclosure (CVD) policy and philosophy. In this article, you'll learn what prompted the changes.
4 min
Vulnerability Disclosure
Cengage LTI Session Management Leakage
Cengage, an education technology provider in use in many higher education environments primarily in the United States, had two issues in the way it handled session management over its Learning Tools Integration (LTI) pipeline.
3 min
Vulnerability Disclosure
CVE-2022-4261: Rapid7 Nexpose Update Validation Issue (FIXED)
Nexpose version 6.6.172 fixes an issue with how Nexpose validates update packages, CVE-2022-4261.
12 min
Vulnerability Disclosure
CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures
Rapid7 discovered several vulnerabilities and exposures in specific F5 BIG-IP and BIG-IQ devices in August 2022. Since then, members of our research team have worked with the vendor to discuss impact, resolution, and a coordinated response.
8 min
Vulnerability Disclosure
FLEXlm and Citrix ADM Denial of Service Vulnerability
Note: Updated October 20, 2022 to clarify that this bypasses CVE-2022-27512 and
not CVE-2022-27511, which has a different root cause.
On June 27, 2022, Citrix released an advisory
[https://support.citrix.com/article/CTX460016/citrix-application-delivery-management-security-bulletin-for-cve202227511-and-cve202227512]
for CVE-2022-27511 [https://nvd.nist.gov/vuln/detail/CVE-2022-27511] and
CVE-2022-27512 [https://nvd.nist.gov/vuln/detail/CVE-2022-27512], which affect
Citrix ADM (Application Del
7 min
Vulnerability Disclosure
Baxter SIGMA Spectrum Infusion Pumps: Multiple Vulnerabilities (FIXED)
Rapid7 discovered vulnerabilities in two TCP/IP-enabled medical devices produced by Baxter Healthcare.
21 min
Vulnerability Disclosure
Rapid7 Discovered Vulnerabilities in Cisco ASA, ASDM, and FirePOWER Services Software
Rapid7 discovered vulnerabilities and non-security issues affecting Cisco ASA, ASDM, and FirePOWER Services Software for ASA.
5 min
Vulnerability Disclosure
CVE-2022-31660 and CVE-2022-31661 (FIXED): VMware Workspace ONE Access, Identity Manager, and vRealize Automation LPE
The VMware Workspace ONE Access, Identity Manager, and vRealize Automation products contain a locally exploitable privilege escalation vulnerability.
9 min
Vulnerability Disclosure
QNAP Poisoned XML Command Injection (Silently Patched)
In researching the mystery surrounding alleged exploitation in the wild of CVE-2020-2509, we found what make be an entirely new vulnerability.
8 min
Vulnerability Disclosure
Primary Arms PII Disclosure via IDOR (FIXED)
Primary Arms, a popular e-commerce site dealing in firearms and related merchandise, suffers from an insecure direct object reference (IDOR) vulnerability.
3 min
Vulnerability Disclosure
CVE-2022-35629..35632 Velociraptor Multiple Vulnerabilities (FIXED)
This advisory covers a number of issues identified in Velociraptor and fixed as of Version 0.6.5-2, released July 26, 2022.
5 min
Vulnerability Disclosure
CVE-2022-30526 (Fixed): Zyxel Firewall Local Privilege Escalation
Rapid7 discovered a local privilege escalation vulnerability affecting Zyxel firewalls. The vulnerability allows a low privileged user, such as `nobody`, to escalate to `root` on affected firewalls.
5 min
Vulnerability Disclosure
CVE-2021-3779: Ruby-MySQL Gem Client File Read (FIXED)
The ruby-mysql Ruby gem prior to version 2.10.0 maintained by Tomita Masahiro is vulnerable to an instance of CWE-610.
4 min
Vulnerability Disclosure
CVE-2022-31749: WatchGuard Authenticated Arbitrary File Read/Write (Fixed)
A remote and low-privileged WatchGuard Firebox or XTM user can red arbitrary system files due to an argument injection vulnerability.
3 min
Vulnerability Disclosure
CVE-2022-32230: Windows SMB Denial-of-Service Vulnerability (FIXED)
With CVE-2022-32230, a remote and unauthenticated attacker can trigger a denial-of-service condition on Microsoft Windows Domain Controllers.