CVE-2017-5244
Routes used to stop running Metasploit tasks (either particular ones or all tasks) allowed GET requests. Only POST requests should have been allowed, as the stop/stop_all routes change the state of the service. This could have allowed an attacker to stop currently-running Metasploit tasks by getting an authenticated user to execute JavaScript. As of Metasploit 4.14.0 (Update 2017061301), the routes for stopping tasks only allow POST requests, which validate the presence of a secret token to prevent CSRF attacks.
-
exploitation prediction scoring system. probability this vulnerability will be exploited in the wild in the next 30 days.
cvss
common vulnerability scoring system v3.1. measures intrinsic severity on a 0-10 scale.
epss
0.0020
kev
no
cisa known exploited vulnerabilities catalog. confirmed active exploitation.
CVSS 3.0
Common Vulnerability Scoring System v3.0
3.5
/ 10
LOW
exploitability
Attack Vector
Network
Attack Vector (AV:N): exploitable remotely over the network — most dangerous. no physical or adjacent access needed.
Attack Complexity
Low
Attack Complexity (AC:L): no special conditions needed. attack can be reliably reproduced.
Privileges Required
Low
Privileges Required (PR:L): requires basic user-level access.
User Interaction
Required
User Interaction (UI:R): victim must perform some action (e.g. clicking a link, opening a file).
impact
Scope
Unchanged
Scope (S:U): impact limited to the vulnerable component.
Confidentiality
None
Confidentiality (C:N): no confidentiality impact.
Integrity
None
Integrity (I:N): no integrity impact.
Availability
Low
Availability (A:L): reduced performance or partial service interruption.
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
activity density
rdintel assessment
composite score from 15+ signals including exploitation status, epss probability, detection coverage, and community attention. 0-100 scale.
sign in to view full intelligence
pocs, detection rules, timeline, advisories, and more