CVE-2021-31868
MEDIUMRapid7 Nexpose < 6.6.96 - Authenticated Insecure Direct Object Reference in Legacy Ticketing Feature
Title source: llmDescription
Rapid7 Nexpose version 6.6.95 and earlier allows authenticated users of the Security Console to view and edit any ticket in the legacy ticketing feature, regardless of the assignment of the ticket. This issue was resolved in version 6.6.96, released on August 4, 2021.
References (1)
Core 1
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://docs.rapid7.com/release-notes/nexpose/20210804/
Scores
CVSS v3
4.3
EPSS
0.0047
EPSS Percentile
37.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-306
Status
published
Products (1)
rapid7/nexpose
< 6.6.96
Published
Aug 19, 2021
Tracked Since
Feb 18, 2026