CVE-2025-36857

Low CVSS: 3.3

Rapid7 Appspider Pro versions below 7.5.021, suffer from a broken access control vulnerability in the application's configuration file loading mechanism, whereby an attacker can place files in directories belonging to other users or projects. Affected versions allow standard users to add custom configuration files. These files, which are loaded in alphabetical order, can override or change the settings of the original configuration files, creating a security vulnerability. This issue stems from improper directory access management.

This vulnerability was remediated in version 7.5.021 of the product.

Vendor

Rapid7

Product

Appspider Pro

CWE

CWE-276

Yayın Tarihi

2025-09-25 15:16:11

Güncelleme

2025-12-11 18:20:20

Source Identifier

cve@rapid7.com

KEV Date Added

Kategoriler

CWE-276 Appspider Pro LOW Rapid7 2025

Referanslar

https://docs.rapid7.com/insight/releasenotes-2025sep/#application-security-insightappsec-and-appspider

Benzer Kayıtlar

Medium

CVE-2025-14728

Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue clie…

Low

CVE-2025-11195

Rapid7 AppSpider Pro versions below 7.5.021 suffer from a project name validation vulnerability, whereby an attacker can…

Medium

CVE-2025-6264

Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do…

Medium

CVE-2025-4951

Editions of Rapid7 AppSpider Pro before version 7.5.018 is vulnerable to a stored cross-site scripting vulnerability in…