CVE-2024-11401 | THREATINT

Description

Rapid7 Insight Platform versions prior to November 13th 2024, suffer from a privilege escalation vulnerability whereby, due to a lack of authorization checks, an attacker can successfully update the password policy in the platform settings as a standard user by crafting an API (the functionality was not possible through the platform's User Interface). This vulnerability has been fixed as of November 13th 2024.

PUBLISHED Reserved 2024-11-19 | Published 2024-12-11 | Updated 2024-12-11 | Assigner rapid7

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-862 Missing Authorization

Product status

Default status

unaffected

Before Novemeber 13th

affected

Credits

Harshil Soni (BitBreacher) finder

References

cwe.mitre.org/data/definitions/862.html

cve.org (CVE-2024-11401)

nvd.nist.gov (CVE-2024-11401)

Download JSON