CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2017-11508
https://notcve.org/view.php?id=CVE-2017-11508
SecurityCenter versions 5.5.0, 5.5.1 and 5.5.2 contain a SQL Injection vulnerability that could be exploited by an authenticated user with sufficient privileges to run diagnostic scans. An attacker could exploit this vulnerability by entering a crafted SQL query into the password field of a diagnostic scan within SecurityCenter. Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access. Las versiones 5.5.0, 5.5.1 y 5.5.2 de SecurityCenter contienen una vulnerabilidad de inyección SQL que podría explotarse por un usuario autenticado con los privilegios suficientes para ejecutar análisis de diagnóstico. Un atacante podría explotar esta vulnerabilidad introduciendo una consulta SQL manipulada en el campo password de un análisis de diagnóstico en SecurityCenter. • http://www.securitytracker.com/id/1039804 https://www.tenable.com/security/tns-2017-13 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.4EPSS: 0%CPEs: 47EXPL: 0CVE-2017-11506
https://notcve.org/view.php?id=CVE-2017-11506
When linking a Nessus scanner or agent to Tenable.io or other manager, Nessus 6.x before 6.11 does not verify the manager's TLS certificate when making the initial outgoing connection. This could allow man-in-the-middle attacks. Cuando se enlaza un escáner o agente Nessus a Tenable.io u otro gestor, Nessus en versiones 6.x anteriores a la 6.11 no verifica el certificado TLS del gestor cuando se realiza la conexión de salida inicial. Esto podría permitir ataques man-in-the-middle. • http://www.securitytracker.com/id/1039141 https://www.tenable.com/security/tns-2017-11 • CWE-295: Improper Certificate Validation •
CVSS: 5.4EPSS: 0%CPEs: 5EXPL: 0CVE-2017-2122
https://notcve.org/view.php?id=CVE-2017-2122
Cross-site scripting vulnerability in Nessus versions 6.8.0, 6.8.1, 6.9.0, 6.9.1 and 6.9.2 allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-Site Scripting (XSS) en Nessus, en las versiones 6.8.0, 6.8.1, 6.9.1 y 6.9.2 permite a los atacantes remotos autenticados inyectar scripts web o HTML arbitrarios mediante vectores sin especificar. • http://jvn.jp/en/jp/JVN87760109/index.html https://www.tenable.com/security/tns-2017-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 16%CPEs: 11EXPL: 1CVE-2017-8051 – Tenable Appliance < 4.5 - Root Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-8051
Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject arbitrary commands. Tenable Appliance 3.5 - 4.4.0, y, posiblemente, versiones anteriores, contiene un fallo en la secuencia de comandos simpleupload.py en la Web UI. Mediante la manipulación del parámetro tns_appliance_session_user, un atacante remoto puede inyectar comandos arbitrarios. • https://www.exploit-db.com/exploits/41892 http://www.tenable.com/security/tns-2017-07 https://vulndb.cyberriskanalytics.com/153135 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8050
https://notcve.org/view.php?id=CVE-2017-8050
Tenable Appliance 4.4.0, and possibly prior, contains a flaw in the Web UI that allows for the unauthorized manipulation of the admin password. Tenable Appliance 4.4.0, , y, posiblemente, versiones anteriores, contiene un fallo en la Web UI que permite la manipulación no autorizada de la contraseña del admin. • http://www.tenable.com/security/tns-2017-07 https://vulndb.cyberriskanalytics.com/153134 •