Vulmon
Recent Vulnerabilities
Product List
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
rapid7 velociraptor vulnerabilities and exploits
(subscribe to this query)
6.1
CVSSv3
CVE-2023-5950
Rapid7 Velociraptor versions before 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows malicious users to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This vuln...
Rapid7 Velociraptor 0.7.0-3
Rapid7 Velociraptor 0.7.0
Rapid7 Velociraptor
8.8
CVSSv3
CVE-2023-0242
Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files ...
Rapid7 Velociraptor
4.8
CVSSv3
CVE-2021-3619
Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse MIME filetype sniffing to embed executable code on a malicious upload. This issue was fixed in version 0.6.0. Note that ...
Rapid7 Velociraptor
5.3
CVSSv3
CVE-2023-2226
Due to insufficient validation in the PE and OLE parsers in Rapid7's Velociraptor versions earlier than 0.6.8 allows malicious user to crash Velociraptor during parsing of maliciously malformed files. For this attack to succeed, the attacker needs to be able to introduce mal...
Rapid7 Velociraptor
5.4
CVSSv3
CVE-2022-35629
Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, to send messages to the server claiming to come from another client ID. This issue was resolved in Velociraptor 0.6.5-2.
Rapid7 Velociraptor
4.3
CVSSv3
CVE-2023-0290
Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of "../clients/server" to schedule the collection for ...
Rapid7 Velociraptor
6.1
CVSSv3
CVE-2022-35630
A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file. This issue was resolved in Velociraptor 0.6.5-2.
Rapid7 Velociraptor
5.5
CVSSv3
CVE-2022-35631
On MacOS and Linux, it may be possible to perform a symlink attack by replacing this predictable file name with a symlink to another file and have the Velociraptor client overwrite the other file. This issue was resolved in Velociraptor 0.6.5-2.
Rapid7 Velociraptor
4.8
CVSSv3
CVE-2022-35632
The Velociraptor GUI contains an editor suggestion feature that can display the description field of a VQL function, plugin or artifact. This field was not properly sanitized and can lead to cross-site scripting (XSS). This issue was resolved in Velociraptor 0.6.5-2.
Rapid7 Velociraptor
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
type confusion
IMAP
CVE-2024-36103
CVE-2024-28995
CVE-2024-37325
CVE-2024-30078
CVE-2024-30082
SQL injection
CVE-2024-30052
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started