CVE-2019-5641 - Vulnerability Details - OpenCVE

Description

Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user

Published: 2022-09-21

Score: 3.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Rapid7

InsightVM

affected

Version	Status	Constraints
`6.6.160`	affected	≤ 6.6.160

Configuration 1 [-]

cpe:2.3:a:rapid7:insightvm:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2019-15216	Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00133.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://docs.rapid7.com/release-notes/insightvm/20220830/

History

Thu, 29 May 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Rapid7 Insightvm

MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2022-09-21T14:45:14.786Z

Updated: 2025-05-29T18:28:29.705Z

Reserved: 2019-01-07T00:00:00.000Z

Link: CVE-2019-5641

Vulnrichment

Updated: 2024-08-04T20:01:52.221Z

NVD

Status : Modified

Published: 2022-09-21T15:15:10.243

Modified: 2024-11-21T04:45:17.407

Link: CVE-2019-5641

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"containers": {"cna": {"affected": [{"product": "InsightVM", "vendor": "Rapid7", "versions": [{"lessThanOrEqual": "6.6.160", "status": "affected", "version": "6.6.160", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Ashutosh Barot reported this vulnerability to Rapid7"}], "datePublic": "2022-08-30T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-21T14:45:14.000Z", "orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://docs.rapid7.com/release-notes/insightvm/20220830/"}], "source": {"discovery": "UNKNOWN"}, "title": "Rapid7 InsightVM Information Disclosure after Logout", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "cve@rapid7.com", "DATE_PUBLIC": "2022-08-30T09:00:00.000Z", "ID": "CVE-2019-5641", "STATE": "PUBLIC", "TITLE": "Rapid7 InsightVM Information Disclosure after Logout"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "InsightVM", "version": {"version_data": [{"platform": "", "version_affected": "<=", "version_name": "6.6.160", "version_value": "6.6.160"}]}}]}, "vendor_name": "Rapid7"}]}}, "configuration": [], "credit": [{"lang": "eng", "value": "Ashutosh Barot reported this vulnerability to Rapid7"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user"}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://docs.rapid7.com/release-notes/insightvm/20220830/", "refsource": "CONFIRM", "url": "https://docs.rapid7.com/release-notes/insightvm/20220830/"}]}, "solution": [], "source": {"advisory": "", "defect": [], "discovery": "UNKNOWN"}, "work_around": []}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T20:01:52.221Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://docs.rapid7.com/release-notes/insightvm/20220830/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-27T18:41:24.403832Z", "id": "CVE-2019-5641", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-29T18:28:29.705Z"}}]}, "cveMetadata": {"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "assignerShortName": "rapid7", "cveId": "CVE-2019-5641", "datePublished": "2022-09-21T14:45:14.786Z", "dateReserved": "2019-01-07T00:00:00.000Z", "dateUpdated": "2025-05-29T18:28:29.705Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://docs.rapid7.com/release-notes/insightvm/20220830/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T20:01:52.221Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-5641", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-27T18:41:24.403832Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-27T18:41:42.893Z"}}], "cna": {"title": "Rapid7 InsightVM Information Disclosure after Logout", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "value": "Ashutosh Barot reported this vulnerability to Rapid7"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Rapid7", "product": "InsightVM", "versions": [{"status": "affected", "version": "6.6.160", "versionType": "custom", "lessThanOrEqual": "6.6.160"}]}], "datePublic": "2022-08-30T00:00:00.000Z", "references": [{"url": "https://docs.rapid7.com/release-notes/insightvm/20220830/", "tags": ["x_refsource_CONFIRM"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Information Exposure"}]}], "providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2022-09-21T14:45:14.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Ashutosh Barot reported this vulnerability to Rapid7"}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, "source": {"defect": [], "advisory": "", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"platform": "", "version_name": "6.6.160", "version_value": "6.6.160", "version_affected": "<="}]}, "product_name": "InsightVM"}]}, "vendor_name": "Rapid7"}]}}, "exploit": [], "solution": [], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://docs.rapid7.com/release-notes/insightvm/20220830/", "name": "https://docs.rapid7.com/release-notes/insightvm/20220830/", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "work_around": [], "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2019-5641", "AKA": "", "STATE": "PUBLIC", "TITLE": "Rapid7 InsightVM Information Disclosure after Logout", "ASSIGNER": "cve@rapid7.com", "DATE_PUBLIC": "2022-08-30T09:00:00.000Z"}, "configuration": []}}}, "cveMetadata": {"cveId": "CVE-2019-5641", "state": "PUBLISHED", "dateUpdated": "2025-05-29T18:28:29.705Z", "dateReserved": "2019-01-07T00:00:00.000Z", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "datePublished": "2022-09-21T14:45:14.786Z", "assignerShortName": "rapid7"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rapid7:insightvm:*:*:*:*:*:*:*:*", "matchCriteriaId": "92D55F81-2863-4161-A9BE-D9845CEA085F", "versionEndIncluding": "6.6.160", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user"}, {"lang": "es", "value": "Rapid7 InsightVM sufre un problema de exposici\u00f3n de informaci\u00f3n por el que, cuando la sesi\u00f3n del usuario ha finalizado por inactividad, un atacante puede usar la funci\u00f3n del navegador Inspect Element para eliminar el panel de acceso y visualizar los detalles disponibles en la \u00faltima p\u00e1gina web visitada por el usuario anterior"}], "id": "CVE-2019-5641", "lastModified": "2024-11-21T04:45:17.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cve@rapid7.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-21T15:15:10.243", "references": [{"source": "cve@rapid7.com", "tags": ["Vendor Advisory"], "url": "https://docs.rapid7.com/release-notes/insightvm/20220830/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://docs.rapid7.com/release-notes/insightvm/20220830/"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "cve@rapid7.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-613"}], "source": "nvd@nist.gov", "type": "Primary"}]}