CVE-2022-4261

MEDIUM Year: 2022
CVSS v3 Score
6.5
Medium
Weakness Type
CWE-494
View all →

Vulnerability Description

Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself.

Related Vulnerabilities

CVE-2021-41714

MEDIUM
CVSS:6.5(Medium)

In Tipask < 3.5.9, path parameters entered by the user are not validated when downloading attachments, a registered user can download arbitrary files on the Tipask server such as .env, /etc/passwd, la...

CWE-4942021

CVE-2022-31324

MEDIUM
CVSS:6.5(Medium)

An arbitrary file download vulnerability in the downloadAction() function of Penta Security Systems Inc WAPPLES v6.0 r3 4.10-hotfix1 allows attackers to download arbitrary files via a crafted POST req...

CWE-4942022

CVE-2022-37908

MEDIUM
CVSS:6.5(Medium)

An authenticated attacker can impact the integrity of the ArubaOS bootloader on 7xxx series controllers. Successful exploitation can compromise the hardware chain of trust on the impacted controller.

CWE-4942022

CVE-2023-24500

MEDIUM
CVSS:6.5(Medium)

Electra Central AC unit – Adjacent attacker may cause the unit to load unauthorized FW.

CWE-4942023

CVE-2023-24503

MEDIUM
CVSS:6.5(Medium)

Electra Central AC unit – Adjacent attacker may cause the unit to load unauthorized FW.

CWE-4942023

CVE-2023-46144

MEDIUM
CVSS:6.5(Medium)

A download of code without integrity check vulnerability in PLCnext products allows an remote attacker with low privileges to compromise integrity on the affected engineering station and the connected...

CWE-4942023