CSRF Vulnerability in Metasploit Pro and Express Editions by Rapid7
CVE-2017-5244

3.5LOW

Key Information:

Vendor

Rapid7

Status
Metasploit (pro, Express, And Community Editions)
Vendor
CVE Published:
15 June 2017

What is CVE-2017-5244?

This vulnerability arises from the ability of GET requests to terminate active Metasploit tasks, which ideally should only respond to POST requests. By exploiting this flaw, an attacker could potentially convince an authenticated user to execute malicious JavaScript, leading to the unauthorized termination of running tasks. As of Metasploit version 4.14.0, this issue has been mitigated by restricting task-stopping routes to POST requests that require a valid secret token, effectively preventing CSRF attacks.

Affected Version(s)

Metasploit (Pro, Express, and Community editions) < 4.14.0 (Update 2017061301)

References

http://www.securityfocus.com/bid/99082
vdb-entryx_refsource_BID
https://community.rapid7.com/community/metasploit/blog/20...
x_refsource_CONFIRM
https://www.seekurity.com/blog/general/metasploit-web-pro...
x_refsource_MISC

CVSS V3.1

Score:
3.5
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2017-5244 : CSRF Vulnerability in Metasploit Pro and Express Editions by Rapid7