Rapid7 Nexpose Information Disclosure after logout
CVE-2019-5640

5.3MEDIUM

Key Information:

Vendor: Rapid7
Status: Nexpose
Vendor: CVE Published:; 22 November 2021

What is CVE-2019-5640?

Rapid7 Nexpose versions prior to 6.6.114 suffer from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the inspect element browser feature to remove the login panel and view the details available in the last webpage visited by previous user

Affected Version(s)

Nexpose 1.0 <= 6.6.114

References

https://docs.rapid7.com/release-notes/nexpose/20211117/

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 22, 2021
Vulnerability Reserved
Jan 7, 2019

Credit

Ashutosh Barot