Tenable

Tenable Security Center: Improper Certificate Validation in SMTP Server Communication

CVE-2024-12174 - December 09, 2024

An Improper Certificate Validation vulnerability exists in Tenable Security Center where an authenticated, privileged attacker could intercept email messages sent from Security Center via a rogue SMTP server.

A stored cross site scripting vulnerability exists in Nessus Network Monitor where an authenticated, privileged local attacker could inject arbitrary code into the NNM UI

CVE-2024-9158 4.6 - Medium - September 30, 2024

A stored cross site scripting vulnerability exists in Nessus Network Monitor where an authenticated, privileged local attacker could inject arbitrary code into the NNM UI via the local CLI.

XSS

A stored cross site scripting vulnerability exists in Tenable Security Center where an authenticated, remote attacker could inject HTML code into a web application s

CVE-2024-1891 5.4 - Medium - June 12, 2024

A stored cross site scripting vulnerability exists in Tenable Security Center where an authenticated, remote attacker could inject HTML code into a web application scan result page.

XSS

An improper privilege management vulnerability exists in Tenable Security Center where an authenticated, remote attacker could view unauthorized objects and launch s

CVE-2024-5759 6.3 - Medium - June 12, 2024

An improper privilege management vulnerability exists in Tenable Security Center where an authenticated, remote attacker could view unauthorized objects and launch scans without having the required privileges

Improper Privilege Management

A DLL injection vulnerability exists where an authenticated, low-privileged local attacker could modify application files on the TIE Secure Relay host, which could

CVE-2024-1683 7.3 - High - February 23, 2024

A DLL injection vulnerability exists where an authenticated, low-privileged local attacker could modify application files on the TIE Secure Relay host, which could allow for overriding of the configuration and running of new Secure Relay services.

Shell injection

A command injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Logging parameters

CVE-2024-1367 7.2 - High - February 14, 2024

A command injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Logging parameters, which could lead to the execution of arbitrary code on the Security Center host.

Shell injection

An HTML injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Repository parameters

CVE-2024-1471 4.8 - Medium - February 14, 2024

An HTML injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Repository parameters, which could lead to HTML redirection attacks.

XSS

A SQL injection vulnerability exists where an authenticated, low-privileged remote attacker could potentially alter s

CVE-2024-0971 6.5 - Medium - February 07, 2024

A SQL injection vulnerability exists where an authenticated, low-privileged remote attacker could potentially alter scan DB content.

SQL Injection

A stored XSS vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus proxy settings

CVE-2024-0955 4.8 - Medium - February 07, 2024

A stored XSS vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus proxy settings, which could lead to the execution of remote arbitrary scripts.

XSS

An arbitrary file write vulnerability exists where an authenticated attacker with privileges on the managing application could alter Nessus Rules variables to overwrite arbitrary files on the remote host

CVE-2023-6178 6.5 - Medium - November 20, 2023

An arbitrary file write vulnerability exists where an authenticated attacker with privileges on the managing application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition.

Memory Corruption

An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host

CVE-2023-6062 6.5 - Medium - November 20, 2023

An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition.

Memory Corruption

NNM failed to properly set ACLs on its installation directory, which could

CVE-2023-5623 7.8 - High - October 26, 2023

NNM failed to properly set ACLs on its installation directory, which could allow a low privileged user to run arbitrary code with SYSTEM privileges where NNM is installed to a non-standard location

Code Injection

Under certain conditions, Nessus Network Monitor was found to not properly enforce input validation

CVE-2023-5624 7.2 - High - October 26, 2023

Under certain conditions, Nessus Network Monitor was found to not properly enforce input validation. This could allow an admin user to alter parameters that could potentially allow a blindSQL injection.

Improper Input Validation

Under certain conditions, Nessus Network Monitor could

CVE-2023-5622 8.8 - High - October 26, 2023

Under certain conditions, Nessus Network Monitor could allow a low privileged user to escalate privileges to NT AUTHORITY\SYSTEM on Windows hosts by replacing a specially crafted file.

Improper Privilege Management

An improper authorization vulnerability exists where an authenticated

CVE-2023-3253 4.3 - Medium - August 29, 2023

An improper authorization vulnerability exists where an authenticated, low privileged remote attacker could view a list of all the users available in the application.

A pass-back vulnerability exists where an authenticated

CVE-2023-3251 4.9 - Medium - August 29, 2023

A pass-back vulnerability exists where an authenticated, remote attacker with administrator privileges could uncover stored SMTP credentials within the Nessus application.This issue affects Nessus: before 10.6.0.

Insufficiently Protected Credentials

An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges could alter logging variables to overwrite arbitrary files on the remote host with log data

CVE-2023-3252 6.5 - Medium - August 29, 2023

An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges could alter logging variables to overwrite arbitrary files on the remote host with log data, which could lead to a denial of service condition.

Vulnerability in Tenable Tenable.Io

CVE-2023-2005 8.8 - High - June 26, 2023

Vulnerability in Tenable Tenable.Io, Tenable Nessus, Tenable Security Center.This issue affects Tenable.Io: before Plugin Feed ID #202306261202 ; Nessus: before Plugin Feed ID #202306261202 ; Security Center: before Plugin Feed ID #202306261202 . This vulnerability could allow a malicious actor with sufficient permissions on a scan target to place a binary in a specific filesystem location, and abuse the impacted plugin in order to escalate privileges.

A vulnerability was reported where through modifying the scan variables, an authenticated user in Tenable products

CVE-2022-4313 8.8 - High - March 15, 2023

A vulnerability was reported where through modifying the scan variables, an authenticated user in Tenable products, that has Scan Policy Configuration roles, could manipulate audit policy variables to execute arbitrary commands on credentialed scan targets.

As part of our Security Development Lifecycle, a potential privilege escalation issue was identified internally

CVE-2023-0524 8.8 - High - February 01, 2023

As part of our Security Development Lifecycle, a potential privilege escalation issue was identified internally. This could allow a malicious actor with sufficient permissions to modify environment variables and abuse an impacted plugin in order to escalate privileges. We have resolved the issue and also made several defense-in-depth fixes alongside. While the probability of successful exploitation is low, Tenable is committed to securing our customers environments and our products. The updates have been distributed via the Tenable plugin feed in feed serial numbers equal to or greater than #202212212055.

A stored cross-site scripting (XSS) vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users

CVE-2023-24494 5.4 - Medium - January 26, 2023

A stored cross-site scripting (XSS) vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users. An authenticated, remote attacker can exploit this by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session.

XSS

A formula injection vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users

CVE-2023-24493 5.7 - Medium - January 26, 2023

A formula injection vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users. An authenticated attacker could leverage the reporting system to export reports containing formulas, which would then require a victim to approve and execute on a host.

Improper Input Validation

A LDAP injection vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users

CVE-2023-0476 6.5 - Medium - January 26, 2023

A LDAP injection vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users. An authenticated attacker could generate data in Active Directory using the application account through blind LDAP injection.

Injection

A Server Side Request Forgery (SSRF) vulnerability exists in Tenable.sc due to improper validation of session & user-accessible input data

CVE-2023-24495 6.5 - Medium - January 26, 2023

A Server Side Request Forgery (SSRF) vulnerability exists in Tenable.sc due to improper validation of session & user-accessible input data. A privileged, authenticated remote attacker could interact with external and internal services covertly.

SSRF

A privilege escalation vulnerability was identified in Nessus versions 8.10.1 through 8.15.8 and 10.0.0 through 10.4.1

CVE-2023-0101 8.8 - High - January 20, 2023

A privilege escalation vulnerability was identified in Nessus versions 8.10.1 through 8.15.8 and 10.0.0 through 10.4.1. An authenticated attacker could potentially execute a specially crafted file to obtain root or NT AUTHORITY / SYSTEM privileges on the Nessus host.

Improper Privilege Management

An authenticated attacker could utilize the identical agent and cluster node linking keys to potentially

CVE-2022-3499 6.5 - Medium - October 31, 2022

An authenticated attacker could utilize the identical agent and cluster node linking keys to potentially allow for a scenario where unauthorized disclosure of agent logs and data is present.

Insertion of Sensitive Information into Log File

An authenticated attacker could read Nessus Debug Log file attachments from the web UI without having the correct privileges to do so

CVE-2022-33757 6.5 - Medium - October 25, 2022

An authenticated attacker could read Nessus Debug Log file attachments from the web UI without having the correct privileges to do so. This may lead to the disclosure of information on the scan target and/or the Nessus scan to unauthorized parties able to reach the Nessus instance.

Insufficiently Protected Credentials: An authenticated user with debug privileges can retrieve stored Nessus policy credentials from the nessusd process in cleartext

CVE-2022-28291 6.5 - Medium - October 17, 2022

Insufficiently Protected Credentials: An authenticated user with debug privileges can retrieve stored Nessus policy credentials from the nessusd process in cleartext via process dumping. The affected products are all versions of Nessus Essentials and Professional. The vulnerability allows an attacker to access credentials stored in Nessus scanners, potentially compromising its customers network of assets.

Insufficiently Protected Credentials

An authenticated attacker could create an audit file

CVE-2022-32973 8.8 - High - June 21, 2022

An authenticated attacker could create an audit file that bypasses PowerShell cmdlet checks and executes commands with administrator privileges.

An authenticated attacker could read arbitrary files

CVE-2022-32974 6.5 - Medium - June 21, 2022

An authenticated attacker could read arbitrary files from the underlying operating system of the scanner using a custom crafted compliance audit file without providing any valid SSH credentials.

Composer is a dependency manager for the PHP programming language

CVE-2022-24828 8.8 - High - April 13, 2022

Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.

Argument Injection

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates

CVE-2022-24785 7.5 - High - April 04, 2022

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Directory traversal

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli

CVE-2022-0778 7.5 - High - March 15, 2022

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

Infinite Loop

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

CVE-2022-23990 7.5 - High - January 26, 2022

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

Integer Overflow or Wraparound

Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer

CVE-2022-23852 9.8 - Critical - January 24, 2022

Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.

Integer Overflow or Wraparound

Tenable.sc versions 5.14.0 through 5.19.1 were found to contain a remote code execution vulnerability which could

CVE-2022-0130 8.1 - High - January 14, 2022

Tenable.sc versions 5.14.0 through 5.19.1 were found to contain a remote code execution vulnerability which could allow a remote, unauthenticated attacker to execute code under special circumstances. An attacker would first have to stage a specific file type in the web server root of the Tenable.sc host prior to remote exploitation.

nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-22826 8.8 - High - January 10, 2022

nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Integer Overflow or Wraparound

storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-22827 8.8 - High - January 10, 2022

storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Integer Overflow or Wraparound

addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-22822 9.8 - Critical - January 10, 2022

addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Integer Overflow or Wraparound

build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-22823 9.8 - Critical - January 10, 2022

build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Integer Overflow or Wraparound

defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-22824 9.8 - Critical - January 10, 2022

defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Integer Overflow or Wraparound

lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-22825 8.8 - High - January 10, 2022

lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Integer Overflow or Wraparound

In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3

CVE-2021-46143 7.8 - High - January 06, 2022

In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.

Integer Overflow or Wraparound

In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c

CVE-2021-45960 8.8 - High - January 01, 2022

In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).

Incorrect Calculation

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts)

CVE-2021-44790 9.8 - Critical - December 20, 2021

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

Memory Corruption

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can

CVE-2021-44224 8.2 - High - December 20, 2021

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).

NULL Pointer Dereference

In PHP versions 7.3.x below 7.3.33

CVE-2021-21707 5.3 - Medium - November 29, 2021

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.

Nessus versions 8.15.2 and earlier were found to contain a local privilege escalation vulnerability which could

CVE-2021-20135 6.7 - Medium - November 03, 2021

Nessus versions 8.15.2 and earlier were found to contain a local privilege escalation vulnerability which could allow an authenticated, local administrator to run specific executables on the Nessus Agent host. Tenable has included a fix for this issue in Nessus 10.0.0. The installation files can be obtained from the Tenable Downloads Portal (https://www.tenable.com/downloads/nessus).

jQuery-UI is the official jQuery user interface library

CVE-2021-41184 6.1 - Medium - October 26, 2021

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.

XSS

jQuery-UI is the official jQuery user interface library

CVE-2021-41183 6.1 - Medium - October 26, 2021

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.

XSS