CVE-2017-5244
LOWMetasploit Pro, Express, and Community < 4.14.0 (Update 2017061301) - Cross-Site Request Forgery via Task Stop Routes
Title source: llmDescription
Routes used to stop running Metasploit tasks (either particular ones or all tasks) allowed GET requests. Only POST requests should have been allowed, as the stop/stop_all routes change the state of the service. This could have allowed an attacker to stop currently-running Metasploit tasks by getting an authenticated user to execute JavaScript. As of Metasploit 4.14.0 (Update 2017061301), the routes for stopping tasks only allow POST requests, which validate the presence of a secret token to prevent CSRF attacks.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/99082
Exploit, VDB Entry, Vendor Advisory x_refsource_confirm
https://community.rapid7.com/community/metasploit/blog/2017/06/15/r7-2017-16-cve-2017-5244-lack-of-csrf-protection-for-stopping-tasks-in-metasploit-pro-express-and-community-editions-fixed
Third Party Advisory x_refsource_misc
https://www.seekurity.com/blog/general/metasploit-web-project-kill-all-running-tasks-csrf-CVE-2017-5244/
Scores
CVSS v3
3.5
EPSS
0.0072
EPSS Percentile
49.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Details
CWE
CWE-352
Status
published
Products (2)
rapid7/metasploit
< 4.13.19
Rapid7/Metasploit (Pro, Express, and Community editions)
< 4.14.0 (Update 2017061301)
Published
Jun 15, 2017
Tracked Since
Feb 18, 2026