CVE-2023-0681

Severity CVSS v4.0:

Pending analysis

Type:

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

Publication date:

20/03/2023

Last modified:

07/11/2023

Description

Rapid7 InsightVM versions 6.6.178 and lower suffers from an open redirect vulnerability, whereby an attacker has the ability to redirect the user to a site of the attacker’s choice using the ‘page’ parameter of the ‘data/console/redirect’ component of the application. This issue was resolved in the February, 2023 release of version 6.6.179. <br /> <br />

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 6.10 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None

Base Score 3.x

6.10

Severity 3.x

MEDIUM

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:rapid7:insightvm::::::::		6.6.179 (excluding)

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

https://docs.rapid7.com/release-notes/nexpose/20230208/