CVE-2019-5630

low-risk
Published 2019-07-03

A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request.

Do I need to act?

~
1.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Nexpose

Affected Vendors

Rapid7

References (2)

Release Notes https://help.rapid7.com/nexpose/en-us/release-notes#6.5.69
Release Notes https://help.rapid7.com/nexpose/en-us/release-notes#6.5.69
26
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 3/34 · Minimal
Exposure 5/34 · Minimal