CVE-2012-6493
medium
CVSS v3
—
CVSS v2
6.8
VIR risk
6.8
Description
Cross-site request forgery (CSRF) vulnerability in Rapid7 Nexpose Security Console before 5.5.4 allows remote attackers to hijack the authentication of unspecified victims for requests that delete scan data and sites via a request to data/site/delete.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://community.rapid7.com/docs/DOC-2155#release1
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| rapid7 | nexpose | {"endIncluding":"5.5.3"} | |
| rapid7 | nexpose | 5.4 | |
| rapid7 | nexpose | 5.4.1 | |
| rapid7 | nexpose | 5.4.2 | |
| rapid7 | nexpose | 5.4.3 | |
| rapid7 | nexpose | 5.4.4 | |
| rapid7 | nexpose | 5.4.5 | |
| rapid7 | nexpose | 5.4.6 | |
| rapid7 | nexpose | 5.4.7 | |
| rapid7 | nexpose | 5.4.8 | |
| rapid7 | nexpose | 5.4.9 | |
| rapid7 | nexpose | 5.4.10 | |
| rapid7 | nexpose | 5.4.11 | |
| rapid7 | nexpose | 5.4.12 | |
| rapid7 | nexpose | 5.5.1 | |
References
- http://archives.neohapsis.com/archives/bugtraq/2013-01/0014.html
- http://osvdb.org/88923
- http://packetstormsecurity.com/files/119260/Nexpose-Security-Console-Cross-Site-Request-Forgery.html
- http://www.exploit-db.com/exploits/23924
- https://community.rapid7.com/docs/DOC-2155#release1
- http://archives.neohapsis.com/archives/bugtraq/2013-01/0014.html
- http://osvdb.org/88923
- http://packetstormsecurity.com/files/119260/Nexpose-Security-Console-Cross-Site-Request-Forgery.html
- http://www.exploit-db.com/exploits/23924
- https://community.rapid7.com/docs/DOC-2155#release1
CWEs
CWE-352
Verify integrity in audit chain (admin only). AS-IS.