Home/Product/rapid7 metasploit
Product

rapid7 metasploit

19 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2023-0599
<= 4.21.2
Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScri
6.1MEDIUM
 CVE-2020-7385
< 4.19.0
By launching the drb_remote_codeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deseria
8.1HIGH
 CVE-2020-7384
< 4.19.0
Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file tha
7.0HIGH
 CVE-2019-5645
<= 5.0.27
By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitra
7.5HIGH
 CVE-2020-7377
>= 4.12.40 and < 6.0.3
The Metasploit Framework module "auxiliary/admin/http/telpho10_credential_dump" module is affected by a relative path traversal vu
8.1HIGH
 CVE-2020-7376
>= 4.11.7 and < 6.0.3
The Metasploit Framework module "post/osx/gather/enum_osx module" is affected by a relative path traversal vulnerability in the ge
7.1HIGH
 CVE-2020-7355
< 4.17.1
Cross-site Scripting (XSS) vulnerability in the 'notes' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attack
6.1MEDIUM
 CVE-2020-7354
< 4.17.1
Cross-site Scripting (XSS) vulnerability in the 'host' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacke
6.1MEDIUM
 CVE-2020-7350
< 5.0.85
Rapid7 Metasploit Framework versions before 5.0.85 suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify
6.1MEDIUM
 CVE-2019-5642
< 4.16.0
Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is wr
3.3LOW
 CVE-2019-5624
<= 4.14.0
Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improper Limitation of a Pathname to a Restricted Directory ('Path
7.3HIGH
 CVE-2017-15084
<= 4.14.1
The web UI in Rapid7 Metasploit before 4.14.1-20170828 allows logout CSRF, aka R7-2017-22.
6.5MEDIUM
 CVE-2017-5244
<= 4.13.19
Routes used to stop running Metasploit tasks (either particular ones or all tasks) allowed GET requests. Only POST requests should
3.5LOW
 CVE-2017-5235
<= 4.13.0-2017012501
Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 contain a DLL preloading vulnerability, wherein it is possible
7.8HIGH
 CVE-2017-5231
<= 4.13.19
All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 contain a directory traversal vulnerability in the Meterprete
7.1HIGH
 CVE-2017-5229
<= 4.13.19
All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 contain a directory traversal vulnerability in the Meterprete
7.1HIGH
 CVE-2017-5228
<= 4.13.19
All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 contain a directory traversal vulnerability in the Meterprete
7.1HIGH
 CVE-2011-1056
all versions
The installer for Metasploit Framework 3.5.1, when running on Windows, uses weak inherited permissions for the Metasploit installa
 CVE-2005-2482
all versions
The StateToOptions function in msfweb in Metasploit Framework 2.4 and earlier, when running with the -D option (defanged mode), al
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns TAXII feed Data sources
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh