SQL Injection in Rapid7 Nexpose
CVE-2020-7383

6.5MEDIUM

Key Information:

Vendor: Rapid7
Status: Nexpose
Vendor: CVE Published:; 14 October 2020

What is CVE-2020-7383?

A SQL Injection issue in Rapid7 Nexpose version prior to 6.6.49 that may have allowed an authenticated user with a low permission level to access resources & make changes they should not have been able to access.

Affected Version(s)

Nexpose < 6.6.49

References

https://help.rapid7.com/insightvm/en-us/release-notes/ind...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 14, 2020
Vulnerability Reserved
Jan 21, 2020

Credit

This issue was discovered and reported by Mikhail Klyuchnikov of Positive Technologies.