CVE-2016-4847
https://notcve.org/view.php?id=CVE-2016-4847
Cross-site scripting (XSS) vulnerability in site/search.php in OSSEC Web UI before 0.9 allows remote attackers to inject arbitrary web script or HTML by leveraging an unanchored regex. Vulnerabilidad XSS en site/search.php en OSSEC Web UI en versiones anteriores a 0.9 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios mediante el aprovechamiento de un regex sin anclaje. • http://jvn.jp/en/jp/JVN58455472/index.html http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000141.html http://www.securityfocus.com/bid/92536 https://github.com/ossec/ossec-wui/commit/b4dcbba7a8eb09ba9d38fc69807a8861255736d0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-7280 – Nessus Web UI 2.3.3 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-7280
Cross-site scripting (XSS) vulnerability in the Web UI before 2.3.4 Build #85 for Tenable Nessus 5.x allows remote web servers to inject arbitrary web script or HTML via the server header. Vulnerabilidad de XSS en la interfaz de usuario Web anterior a 2.3.4 Build #85 para Tenable Nessus 5.x permite a servidores web remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la cabecera de servidor. Nessus Web UI version 2.3.3 suffers from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/34929 http://osvdb.org/112728 http://packetstormsecurity.com/files/128579/Nessus-Web-UI-2.3.3-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Oct/26 http://www.exploit-db.com/exploits/34929 http://www.securityfocus.com/bid/70274 http://www.tenable.com/security/tns-2014-08 http://www.thesecurityfactory.be/permalink/nessus-stored-xss.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-4980 – Tenable Nessus 5.2.7 Parameter Tampering / Authentication Bypass
https://notcve.org/view.php?id=CVE-2014-4980
The /server/properties resource in Tenable Web UI before 2.3.5 for Nessus 5.2.3 through 5.2.7 allows remote attackers to obtain sensitive information via the token parameter. El recurso /server/properties en Tenable Web UI anterior a 2.3.5 para Nessus 5.2.3 hasta 5.2.7 permite a atacantes remotos obtener información sensible a través del parámetro token. Tenable Nessus versions 5.2.3 through 5.2.7 suffer from authentication bypass vulnerabilities via parameter tampering. • http://packetstormsecurity.com/files/127532/Tenable-Nessus-5.2.7-Parameter-Tampering-Authentication-Bypass.html http://www.halock.com/blog/cve-2014-4980-parameter-tampering-nessus-web-ui http://www.osvdb.org/109376 http://www.securityfocus.com/archive/1/532839/100/0/threaded http://www.securityfocus.com/bid/68782 http://www.securitytracker.com/id/1030614 http://www.tenable.com/security/tns-2014-05 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •