CVE-2024-11401 MEDIUM

CVE-2024-11401: Rapid7 Insight Platform Privilege Escalation Vulnerability

Vendor Rapid7

Product Insight Platform

Weakness CWE-862 · Missing authorization

Published December 11, 2024

Last update December 11, 2024

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Rapid7 Insight Platform versions prior to November 13th 2024, suffer from a privilege escalation vulnerability whereby, due to a lack of authorization checks, an attacker can successfully update the password policy in the platform settings as a standard user by crafting an API (the functionality was not possible through the platform's User Interface). This vulnerability has been fixed as of November 13th 2024.

Key dates

02Disclosure timeline

December 11, 2024 CVE published

December 11, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-11401 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2024-8432 Appointment & Event Booking Calendar Plugin – Webba Booking <= 5.0.48 - Missing Authorization to Authenticated (Subscriber+) CSS Settings Update CVE-2025-63006 WordPress EventPrime plugin <= 4.2.4.1 - Broken Access Control vulnerability CVE-2025-66071 WordPress Custom Order Numbers for WooCommerce plugin <= 1.11.0 - Broken Access Control vulnerability CVE-2026-28554 wpForo Forum 2.4.14 Missing Authorization via Post Approval AJAX Handler CVE-2026-8495 Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037