CVE-2024-11401

Dec. 11, 2024, 10:15 a.m.

None
No Score

Description

Rapid7 Insight Platform versions prior to November 13th 2024, suffer from a privilege escalation vulnerability whereby, due to a lack of authorization checks, an attacker can successfully update the password policy in the platform settings as a standard user by crafting an API (the functionality was not possible through the platform's User Interface). This vulnerability has been fixed as of November 13th 2024.

Product(s) Impacted

Product Versions
Rapid7 Insight Platform
  • ['before November 13th 2024']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://cwe.mitre.org/data/definitions/862.html

Tags

CWE-862
cve@rapid7.com
2024-12-11
CVE-2024-11401

Timeline

Published: Dec. 11, 2024, 10:15 a.m.
Last Modified: Dec. 11, 2024, 10:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@rapid7.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.