CVE-2025-11195
BaseFortify
Publication date: 2025-09-30
Last updated on: 2025-10-08
Assigner: Rapid7, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rapid7 | appspider_pro | to 7.5.021 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Rapid7 AppSpider Pro versions below 7.5.021 allows an attacker to change the project name directly in the configuration file to a name that already exists. It occurs because the application does not effectively verify the uniqueness of project names when they are edited outside the application, potentially causing conflicts or unintended behavior.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker with local access to modify project names in the configuration file to duplicate existing project names. This could lead to confusion, mismanagement of projects, or unintended interference with project data or operations, although it does not directly affect confidentiality or availability.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Rapid7 AppSpider Pro to version 7.5.021 or later, as this version remediates the project name validation vulnerability.