Metasploit
Approved changes feed: RSS · Atom
cpe:2.3:a:rapid7:metasploit:*:*:*:*:pro:*:*:*
part: a version: * update: *
| Vendor | Rapid7 (d570a41c-9d2a-5057-8a47-227f116734f8) |
|---|---|
| Product | Metasploit (18f6b95a-9ee1-54c6-a236-06556391475c) |
| Edition | * |
| Language | * |
| Software edition | pro |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2023-0599 |
vulnerable | 2026-06-03 14:48:52.210601 |
Rapid7 Metasploit Pro Stored XSS
MEDIUM (6.1)
Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator.
Published: 2023-02-01T22:13:54.609Z
Updated: 2025-03-25T19:28:44.145Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-7355 |
vulnerable | 2026-06-03 14:43:06.131269 |
Rapid7 Metasploit Pro Stored XSS in 'notes' field
MEDIUM (6.1)
Cross-site Scripting (XSS) vulnerability in the 'notes' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface. This issue affects Rapid7 Metasploit Pro version 4.17.1-20200427 and prior versions, and is fixed in Metasploit Pro version 4.17.1-20200514. See also CVE-2020-7354, which describes a similar issue, but involving the generated 'host' field of a discovered scan asset.
Published: 2020-06-25T17:15:15.975Z
Updated: 2024-09-17T02:31:45.777Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-7354 |
vulnerable | 2026-06-03 14:43:06.091534 |
Rapid7 Metasploit Pro Stored XSS in 'host' field
MEDIUM (6.1)
Cross-site Scripting (XSS) vulnerability in the 'host' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target to store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface. This issue affects Rapid7 Metasploit Pro version 4.17.1-20200427 and prior versions, and is fixed in Metasploit Pro version 4.17.1-20200514. See also CVE-2020-7355, which describes a similar issue, but involving the generated 'notes' field of a discovered scan asset.
Published: 2020-06-25T17:15:15.535Z
Updated: 2024-09-17T00:25:26.208Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5642 |
vulnerable | 2026-06-03 14:40:35.894040 |
MAGICK
LOW (3.3)
Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.
Published: 2019-11-06T18:30:42.787Z
Updated: 2024-09-17T04:24:03.024Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.