Vulnerability Description
Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) attack.
CVSS Score
8.8
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rapid7 | Nexpose | < 6.4.66 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/102208Third Party AdvisoryVDB Entry
- https://help.rapid7.com/nexpose/en-us/release-notes/archive/2017/12/#6.4.66Release Notes
- https://www.exploit-db.com/exploits/43911/
- http://www.securityfocus.com/bid/102208Third Party AdvisoryVDB Entry
- https://help.rapid7.com/nexpose/en-us/release-notes/archive/2017/12/#6.4.66Release Notes
- https://www.exploit-db.com/exploits/43911/
FAQ
What is CVE-2017-5264?
CVE-2017-5264 is a vulnerability with a CVSS score of 8.8 (HIGH). Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site reque...
How severe is CVE-2017-5264?
CVE-2017-5264 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-5264?
Check the references section above for vendor advisories and patch information. Affected products include: Rapid7 Nexpose.