CVE-2024-2745: 
Rapid7 Vulnerability Management vulnerability analysis and mitigation

Rapid7's InsightVM maintenance mode login page contains a sensitive information exposure vulnerability (CVE-2024-2745) that affects versions up to 6.6.243. The vulnerability exposes sensitive information through query strings in the URL when login is attempted before the page is fully loaded. The issue was discovered and reported by Sreenath Raghunath from Fireware LLC UAE, OMAN (Release Notes).

The vulnerability allows sensitive information to be exposed in the URL query strings during the login process on the maintenance mode page. This exposure occurs specifically when a login attempt is made before the page has completely loaded. The vulnerability has been assigned a CVSS v3.1 Base Score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating local access is required with low attack complexity (NVD).

The vulnerability enables attackers to acquire sensitive information including passwords, authentication tokens, usernames, and database details when exploited. This exposure of credentials in the address bar could lead to unauthorized access to the system (Release Notes).

The vulnerability has been remediated in InsightVM version 6.6.244. Organizations using affected versions (6.6.243 and earlier) should update their Security Console to the latest version to address this security issue (Release Notes).