CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 6CVE-2014-7280 – Nessus Web UI 2.3.3 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-7280
Cross-site scripting (XSS) vulnerability in the Web UI before 2.3.4 Build #85 for Tenable Nessus 5.x allows remote web servers to inject arbitrary web script or HTML via the server header. Vulnerabilidad de XSS en la interfaz de usuario Web anterior a 2.3.4 Build #85 para Tenable Nessus 5.x permite a servidores web remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la cabecera de servidor. Nessus Web UI version 2.3.3 suffers from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/34929 http://osvdb.org/112728 http://packetstormsecurity.com/files/128579/Nessus-Web-UI-2.3.3-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Oct/26 http://www.exploit-db.com/exploits/34929 http://www.securityfocus.com/bid/70274 http://www.tenable.com/security/tns-2014-08 http://www.thesecurityfactory.be/permalink/nessus-stored-xss.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 6EXPL: 1CVE-2014-4980 – Tenable Nessus 5.2.7 Parameter Tampering / Authentication Bypass
https://notcve.org/view.php?id=CVE-2014-4980
The /server/properties resource in Tenable Web UI before 2.3.5 for Nessus 5.2.3 through 5.2.7 allows remote attackers to obtain sensitive information via the token parameter. El recurso /server/properties en Tenable Web UI anterior a 2.3.5 para Nessus 5.2.3 hasta 5.2.7 permite a atacantes remotos obtener información sensible a través del parámetro token. Tenable Nessus versions 5.2.3 through 5.2.7 suffer from authentication bypass vulnerabilities via parameter tampering. • http://packetstormsecurity.com/files/127532/Tenable-Nessus-5.2.7-Parameter-Tampering-Authentication-Bypass.html http://www.halock.com/blog/cve-2014-4980-parameter-tampering-nessus-web-ui http://www.osvdb.org/109376 http://www.securityfocus.com/archive/1/532839/100/0/threaded http://www.securityfocus.com/bid/68782 http://www.securitytracker.com/id/1030614 http://www.tenable.com/security/tns-2014-05 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.9EPSS: 0%CPEs: 2EXPL: 0CVE-2014-2848
https://notcve.org/view.php?id=CVE-2014-2848
A race condition in the wmi_malware_scan.nbin plugin before 201402262215 for Nessus 5.2.1 allows local users to gain privileges by replacing the dissolvable agent executable in the Windows temp directory with a Trojan horse program. Una condición de carrera en el plugin wmi_malware_scan.nbin anterior a 201402262215 para Nessus 5.2.1 permite a usuarios locales ganar privilegios mediante la sustitución del ejecutable del agente volátil en el directorio temporal de Windows con un programa de caballo de troya. • http://secunia.com/advisories/57403 http://www.securitytracker.com/id/1029946 https://discussions.nessus.org/thread/7195 https://www.nccgroup.com/en/learning-and-research-centre/technical-advisories/nessus-authenticated-scan-local-privilege-escalation • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2013-5911
https://notcve.org/view.php?id=CVE-2013-5911
Cross-site scripting (XSS) vulnerability in devform.php in Tenable SecurityCenter 4.6 through 4.7 allows remote attackers to inject arbitrary web script or HTML via the message parameter. Vulnerabilidad XSS en devform.php en Tenable SecurityCenter v4.6 hasta v4.7 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través del parámetro "message". • http://www.osvdb.org/97584 https://discussions.nessus.org/message/22174#22174 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •