CVE-2024-11401 Information

Description

Rapid7 Insight Platform versions prior to November 13th 2024 suffer from a privilege escalation vulnerability whereby due to a lack of authorization checks an attacker can successfully update the password policy in the platform settings as a standard user by crafting an API (the functionality was not possible through the platform’s User Interface). This vulnerability has been fixed as of November 13th 2024.

Reference

https://cwe.mitre.org/data/definitions/862.html