A key used in logging.json does not follow the least privilege principle by default and is exposed to local users in the Rapid7 Platform. This allows an attacker with local access to a machine with the logging.json file to use that key to authenticate to the platform with high privileges. This...
6.8CVSS
7.2AI Score
0.0004EPSS
An issue discovered in the Order and Invoice pages in Floorsight Insights Q3 2023 allows an unauthenticated remote attacker to view sensitive customer...
7.5CVSS
7.4AI Score
0.001EPSS
A security vulnerability in HPE Insight Remote Support may result in the local disclosure of privileged LDAP...
5.5CVSS
5.4AI Score
0.0004EPSS
An issue was discovered in Faronics Insight 10.0.19045 on Windows. Every keystroke made by any user on a computer with the Student application installed is logged to a world-readable directory. A local attacker can trivially extract these cleartext keystrokes, potentially enabling them to obtain...
3.3CVSS
4.2AI Score
0.0004EPSS
An issue was discovered in Faronics Insight 10.0.19045 on Windows. An unauthenticated attacker is able to upload any type of file to any location on the Teacher Console's computer, enabling a variety of different exploitation paths including code execution. It is also possible for the attacker to.....
8.8CVSS
8.9AI Score
0.001EPSS
An issue was discovered in Faronics Insight 10.0.19045 on Windows. By abusing the Insight UDP broadcast discovery system, an attacker-controlled artificial Student Console can connect to and attack a Teacher Console even after Enhanced Security Mode has been...
7.4CVSS
7.3AI Score
0.0004EPSS
An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for an attacker to create a proof-of-concept script that functions similarly to a Student Console, providing unauthenticated attackers with the ability to exploit XSS vulnerabilities within the Teacher Console...
9.6CVSS
9.3AI Score
0.003EPSS
An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for an attacker to create a crafted program that functions similarly to the Teacher Console. This can compel Student Consoles to connect and put themselves at risk automatically. Connected Student Consoles can be...
8.8CVSS
8.9AI Score
0.001EPSS
An issue was discovered in Faronics Insight 10.0.19045 on Windows. Attacker-supplied input is not validated/sanitized before being rendered in both the Teacher and Student Console applications, enabling an attacker to execute JavaScript in these applications. Due to the rich and highly privileged.....
6.1CVSS
6.5AI Score
0.001EPSS
An issue was discovered in Faronics Insight 10.0.19045 on Windows. The Insight Teacher Console application allows unauthenticated attackers to view constantly updated screenshots of student desktops and to submit falsified screenshots on behalf of students. Attackers are able to view screenshots...
7.1CVSS
6.9AI Score
0.001EPSS
An issue was discovered in Faronics Insight 10.0.19045 on Windows. A suitably positioned attacker could perform a man-in-the-middle attack on either a connected student or teacher, enabling them to intercept student keystrokes or modify executable files being sent from teachers to...
7.4CVSS
7.3AI Score
0.001EPSS
An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for a remote attacker to communicate with the private API endpoints exposed at /login, /consoleSettings, /console, etc. despite Virtual Host Routing being used to block this access. Remote attackers can interact with....
7.3CVSS
7.1AI Score
0.001EPSS
An issue was discovered in Faronics Insight 10.0.19045 on Windows. The Insight Teacher Console application exposes the teacher's Console password in cleartext via an API endpoint accessible from localhost. Attackers with physical access to the Teacher Console can open a web browser, navigate to...
4.6CVSS
4.7AI Score
0.001EPSS
Rapid7 Insight Agent token handler versions 3.2.6 and below, suffer from a Directory Traversal vulnerability whereby unsanitized input from a CLI argument flows into io.ioutil.WriteFile, where it is used as a path. This can result in a Path Traversal vulnerability and allow an attacker to write...
7.5CVSS
7.4AI Score
0.001EPSS
Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to...
7.8CVSS
7.8AI Score
0.0004EPSS
The Insight Core WordPress plugin through 1.0 does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and escape it before outputting it in the...
5.4CVSS
5.3AI Score
0.001EPSS
Rapid7 Insight Agent, versions prior to 3.1.3, suffer from an improper access control vulnerability whereby, the user has access to the snapshot directory. An attacker can access, read and copy any of the files in this directory e.g. asset_info.json or file_info.json, leading to a loss of...
3.3CVSS
4AI Score
0.0004EPSS
Rapid7 Insight Agent, versions 3.0.1 to 3.1.2.34, suffer from a local privilege escalation due to an uncontrolled DLL search path. Specifically, when Insight Agent versions 3.0.1 to 3.1.2.34 start, the Python interpreter attempts to load python3.dll at "C:\DLLs\python3.dll," which normally is...
7.8CVSS
7.6AI Score
0.0004EPSS
Video Insight VMS versions prior to 7.8 allows a remote attacker to execute arbitrary code with the system user privilege by sending a specially crafted...
9.8CVSS
9.6AI Score
0.014EPSS
The Transaction Insight reporting component of TIBCO Software Inc.'s TIBCO Foresight Archive and Retrieval System, TIBCO Foresight Archive and Retrieval System Healthcare Edition, TIBCO Foresight Operational Monitor, TIBCO Foresight Operational Monitor Healthcare Edition, TIBCO Foresight...
8.8CVSS
8.3AI Score
0.001EPSS
A vulnerability has been identified in Desigo Insight (All versions). The web service does not properly apply input validation for some query parameters in a reserved area. This could allow an authenticated attacker to retrieve data via a content-based blind SQL injection...
4.3CVSS
5.9AI Score
0.001EPSS
A vulnerability has been identified in Desigo Insight (All versions). Some error messages in the web application show the absolute path to the requested resource. This could allow an authenticated attacker to retrieve additional information about the host...
4.3CVSS
5.2AI Score
0.001EPSS
A vulnerability has been identified in Desigo Insight (All versions). The device does not properly set the X-Frame-Options HTTP Header which makes it vulnerable to Clickjacking attacks. This could allow an unauthenticated attacker to retrieve or modify data in the context of a legitimate user by...
5.4CVSS
5.3AI Score
0.001EPSS
Video Insight VMS versions prior to 7.6.1 allow remote attackers to conduct code injection attacks via unspecified...
9.8CVSS
9.5AI Score
0.003EPSS
The NETGEAR Insight application before 2.42 for Android and iOS is affected by password...
9.8CVSS
7.3AI Score
0.002EPSS
HP Systems Insight Manager before 7.0 allows a remote user on adjacent network to access...
5.7CVSS
9.1AI Score
0.001EPSS
A Stack-based Buffer Overflow vulnerability in libbelkin_api.so component of Belkin WeMo Insight Switch firmware allows a local attacker to obtain code execution on the device. This issue affects: Belkin WeMo Insight Switch firmware version 2.00.11396 and prior...
7.8CVSS
7.8AI Score
0.0004EPSS
IBM InfoSphere Global Name Management 5.0 and 6.0 and IBM InfoSphere Identity Insight 8.1 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.....
8.2CVSS
7.9AI Score
0.004EPSS
OnCommand Insight versions through 7.3.6 may disclose sensitive account information to an authenticated...
6.5CVSS
6.8AI Score
0.001EPSS
Rapid7 Insight Agent, version 2.6.3 and prior, suffers from a local privilege escalation due to an uncontrolled DLL search path. Specifically, when Insight Agent 2.6.3 and prior starts, the Python interpreter attempts to load python3.dll at "C:\DLLs\python3.dll," which normally is writable by...
7.8CVSS
7.6AI Score
0.0004EPSS
NETGEAR Insight Cloud with firmware before Insight 5.6 allows remote authenticated users to achieve command...
7.6CVSS
7.8AI Score
0.001EPSS
Oncommand Insight versions prior to 7.3.5 shipped without certain HTTP Security headers configured which could allow an attacker to obtain sensitive information via unspecified...
7.5CVSS
6.7AI Score
0.002EPSS
A password management issue exists where the Organization authentication username and password were stored in plaintext in log files. A locally authenticated attacker who is able to access these stored plaintext credentials can use them to login to the Organization. Affected products are: Juniper.....
7.8CVSS
7.2AI Score
0.001EPSS
An issue was discovered in creditease-sec insight through 2018-09-11. depart_delete in srcpm/app/admin/views.py allows...
8.8CVSS
7.4AI Score
0.001EPSS
An issue was discovered in creditease-sec insight through 2018-09-11. user_delete in srcpm/app/admin/views.py allows...
8.8CVSS
7.4AI Score
0.001EPSS
An issue was discovered in creditease-sec insight through 2018-09-11. role_perm_delete in srcpm/app/admin/views.py allows...
8.8CVSS
7.4AI Score
0.001EPSS
An issue was discovered in creditease-sec insight through 2018-09-11. login_user_delete in srcpm/app/admin/views.py allows...
8.8CVSS
7.4AI Score
0.001EPSS
IBM i2 Enterprise Insight Analysis 2.1.7 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks...
6.1CVSS
5.9AI Score
0.001EPSS
IBM i2 Enterprise Insight Analysis 2.1.7 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM...
5.9CVSS
5.7AI Score
0.001EPSS
IBM i2 Enterprise Insight Analysis 2.1.7 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID:...
3.3CVSS
5.3AI Score
0.0004EPSS
VMware vRealize Log Insight (4.7.x before 4.7.1 and 4.6.x before 4.6.2) contains a vulnerability due to improper authorization in the user registration method. Successful exploitation of this issue may allow Admin users with view only permission to perform certain administrative functions which...
7.2CVSS
6.8AI Score
0.001EPSS
Stack-based Buffer Overflow vulnerability in libUPnPHndlr.so in Belkin Wemo Insight Smart Plug allows remote attackers to bypass local security protection via a crafted HTTP post...
10CVSS
8.9AI Score
0.256EPSS
A remote denial of service vulnerability in HPE Systems Insight Manager in all versions prior to 7.6 was...
7.5CVSS
7.4AI Score
0.007EPSS
An improper input validation vulnerability in HPE Insight Control version 7.6 LR1 was...
5.7CVSS
7.4AI Score
0.0005EPSS
A cross site scripting vulnerability in HPE Systems Insight Manager in all versions prior to 7.6 was...
6.1CVSS
6.5AI Score
0.003EPSS
A remote denial of service vulnerability in HPE Systems Insight Manager in all versions prior to 7.6 was...
7.5CVSS
7.4AI Score
0.007EPSS
Bitpay/insight-api Insight-api version 5.0.0 and earlier contains a CWE-20: input validation vulnerability in transaction broadcast endpoint that can result in Full Path Disclosure. This attack appear to be exploitable via Web...
5.3CVSS
5.2AI Score
0.001EPSS
Rapid7 Insight Collector installers prior to version 1.0.16 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the...
7.8CVSS
6.7AI Score
0.001EPSS
The REST API in the DTE Energy Insight application before 1.7.8 for Android allows remote authenticated users to obtain unspecified customer information via a SQL expression in the filter...
4.3CVSS
4.5AI Score
0.001EPSS