CVE-2019-5638
HIGHRapid7 Nexpose <= 6.5.50 - Insufficient Session Expiration
Title source: llmDescription
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage.
References (2)
Core 2
Core References
Release Notes x_refsource_confirm
https://help.rapid7.com/nexpose/en-us/release-notes/archive/2019/02/
Third Party Advisory vendor-advisory
https://docs.rapid7.com/insightvm/enable-insightvm-platform-login
Scores
CVSS v3
8.7
EPSS
0.0097
EPSS Percentile
57.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Details
CWE
CWE-613
Status
published
Products (1)
rapid7/nexpose
< 6.5.50
Published
Aug 21, 2019
Tracked Since
Feb 18, 2026