Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057)

The version of Apache Struts running on the remote host is 2.3.x prior to 2.3.35, or 2.5.x prior to 2.5.17. It, therefore, contains a possible remote code execution vulnerability when results are used without setting a namespace along with an upper action that does not have a namespace set or has...

TCP/IP SYN+FIN Packet Filtering Weakness

The remote host does not discard TCP SYN packets that have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules. C Tenable Network Security, Inc. Ref: To: [email protected] From: [email protected] Date: Mon, 5 May 2003 11:01:0...

ESXi 6.5 / 6.7 / 7.0 RCE (VMSA-2021-0002)

The remote VMware ESXi host is version 6.5, 6.7 or 7.0 and is affected by a remote code execution vulnerability. OpenSLP as used in ESXi 7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG has a heap-overflow vulnerability. A malicious actor residing...

KB4343888: Windows 8.1 and Windows Server 2012 R2 August 2018 Security Update (Foreshadow)

The remote Windows host is missing security update 4343888 or cumulative update 4343898. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a...

NSClient Default Password

The remote host is running an instance of NSClient, an addon for Nagios used to monitor Windows hosts, configured using a default password. Anyone can connect to it and retrieve sensitive information, such as process and service states, memory usage, etc. C Tenable Network Security, Inc...

GPON ONT Home Gateway Router is vulnerable to authentication bypass (CVE-2018-10561)

Binary data gponcve-2018-10561.nbin...

Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4109)

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2018-4109 advisory. - media: imon: Fix null-ptr-deref in imonprobe Arvind Yadav Orabug: 27208380 CVE-2017-16537 - Input: gtco - fix potential out-of-bound access Dmitr...

MS KB3046310: Improperly Issued Digital Certificates Could Allow Spoofing

The remote host is missing KB3046310, KB2677070 automatic updater, or the latest disallowed certificate update using KB2813430 manual updater. If KB2677070 has been installed, it has not yet obtained the latest auto-updates. Note that this plugin checks that the updaters have actually updated the...

CGI Generic Command Execution (time-based)

The remote web server hosts CGI scripts that fail to adequately sanitize request strings. By leveraging this issue, an attacker may be able to execute arbitrary commands on the remote host. Note that this script uses a time-based detection method which is less reliable than the basic method...

Apache Log4j 2.0 < 2.3.2 / 2.4 < 2.12.4 / 2.13 < 2.17.1 RCE

The version of Apache Log4j on the remote host is 2.0 2.3.2, 2.4 2.12.4, or 2.13 2.17.1. It is, therefore, affected by a remote code execution vulnerability. Apache Log4j2 versions 2.0-beta7 through 2.17.0 excluding security fix releases 2.3.2 and 2.12.4 are vulnerable to a remote code execution...

Apache Tomcat HTTP PUT JSP File Upload RCE

The HTTP server running on the remote host is affected by a flaw that allows a remote unauthenticated attacker to upload a JSP file and execute it. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. include'deprecatednasllevel.inc'; include'compat.inc'; if description scriptid105006;...

SolarWinds Dameware Mini Remote Control Unauthenticated RCE

The SolarWinds Dameware Mini Remote Control Client Agent running on the remote host is affected by a remote code execution vulnerability due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of requests, to execute arbitrary code. C...

URLScan for IIS Detection

The remote web server is using URLScan to protect itself, which is a good thing. However since it is possible to determine that URLScan is installed, an attacker may safely assume that the remote web server is Internet Information Server. C Tenable Network Security, Inc. Ref: Date: Sat, 31 May 20...

PHP 8.1.x < 8.1.7 Multiple Vulnerabilities

The version of PHP installed on the remote host is prior to 8.1.7. It is, therefore, affected by multiple vulnerabilities as referenced in the Version 8.1.7 advisory. - In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying...

PHP 5.6.x < 5.6.39 Multiple vulnerabilities

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.39. It is, therefore, affected by multiple vulnerabilities: - An arbitrary command injection vulnerability exists in the imapopen function due to improper filters for mailbox names prior to passing...

Web Server Directory Enumeration

This plugin attempts to determine the presence of various common directories on the remote web server. By sending a request for a directory, the web server response code indicates if it is a valid directory or not. This plugin was written by H D Moore Changes by Tenable: - Revised plugin title...

Webmin 'miniserv.pl' Arbitrary File Disclosure

The version of Webmin installed on the remote host is affected by an information disclosure flaw due to a flaw in the Perl script 'miniserv.pl'. This flaw could allow a remote, unauthenticated attacker to read arbitrary files on the affected host, subject to the privileges of the web server user...

DNS Server Zone Transfer Information Disclosure (AXFR)

The remote name server allows DNS zone transfers to be performed. A zone transfer lets a remote attacker instantly populate a list of potential targets. In addition, companies often use a naming convention that can give hints as to a servers primary application for instance, proxy.example.com,...

Apache Tomcat Detection

Nessus was able to detect a remote Apache Tomcat web server. NOTE: When paranoia levels are elevated, this plugin will also consider versions obtained from responses with non-200 HTTP status codes. C Tenable Network Security, Inc. include"compat.inc"; if description scriptid39446;...

Oracle WebLogic Server Java Object Deserialization RCE (October 2016 CPU)

The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WLS Security component due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons File Upload library. An unauthenticated, remote attacker can exploit this, via a crafted a...

Netstat Portscanner (SSH)

Nessus was able to run 'netstat' on the remote host to enumerate the open ports. If 'netstat' is not available, the plugin will attempt to use 'ss'. See the section 'plugins options' about configuring this plugin. Note: This plugin runs on Windows using netstat.exe if the target is localhost...

SSL / TLS Renegotiation DoS

The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not...

Missing or Permissive Content-Security-Policy frame-ancestors HTTP Response Header

The remote web server in some responses sets a permissive Content-Security-Policy CSP frame-ancestors response header or does not set one at all. The CSP frame-ancestors header has been proposed by the W3C Web Application Security Working Group as a way to mitigate cross-site scripting and...

Cisco AnyConnect Secure Mobility Client VPN Downgrade

The remote host has a version of Cisco AnyConnect 2.5 MR6 / 3.0 MR8. Such versions are potentially affected by a software downgrade vulnerability. The WebLaunch VPN downloader implementation does not compare timestamps of offered software to install with currently installed software, which may...

Oracle GlassFish Server URL normalization Denial of Service

The instance of Oracle GlassFish Server running on the remote host is affected by an authenticated and unauthenticated denial of service vulnerability. The vulnerability is a result of an infinite loop in the normalize method in com.sun.jsftemplating.util.fileStreamer.ResourceContentSource. A...

PHP expose_php Information Disclosure

The PHP install on the remote server is configured in a way that allows disclosure of potentially sensitive information to an attacker through a special URL. Such a URL triggers an Easter egg built into PHP itself. Other such Easter eggs likely exist, but Nessus has not checked for them...

Microsoft .NET Framework Unsupported

According to its self-reported version number, there is at least one version of Microsoft .NET Framework installed on the remote Windows host that is no longer supported. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely...

VMware ESX / ESXi Unsupported Version Detection

According to its version, the installation of VMware ESX or ESXi on the remote host is no longer supported. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities. %NASLMINLEVEL 70300 C...

MS17-013: Security Update for Microsoft Graphics Component (4013075)

The remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities : - Multiple elevation of privilege vulnerabilities exist in the Windows Graphics Device Interface GDI component due to improper handling of objects in memory. A local attacker can exploit...

CGI Generic XSS (comprehensive test)

The remote web server hosts CGI scripts that fail to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. These XS...

X Display Manager Control Protocol (XDMCP) Detection

The X Display Manager Control Protocol XDMCP service allows a Unix user to remotely obtain a graphical X11 login and therefore act as a local user on the remote host. If an attacker can gain a valid login and password, this service could be used to gain further access on the remote host. An...

Apache Struts 2 'class' Parameter ClassLoader Manipulation

The remote web application appears to use Struts 2, a web framework that utilizes OGNL Object-Graph Navigation Language as an expression language. The version of Struts 2 in use is affected by a security bypass vulnerability due to the application allowing manipulation of the ClassLoader via the...

MySQL User-Defined Functions Multiple Vulnerabilities

User-defined functions in MySQL can allow a database user to cause binary libraries on the host to be loaded. The insert privilege on the table 'mysql.func' is required for a user to create user-defined functions. When running on Windows and possibly other operating systems, MySQL is potentially...

Microsoft Windows EFSRPC NTLM Reflection Elevation of Privilege (PetitPotam) (Remote)

Binary data windowspetitpotam.nbin...

Limbo CMS sql.php classes_dir Parameter Remote File Inclusion

The remote host is running Limbo CMS, a content-management system written in PHP. The version of Limbo CMS installed on the remote host fails to sanitize user-supplied input to the 'classesdir' parameter of the 'classes/adodbt/sql.php' script before using it in PHP 'includeonce' functions. Provid...

Microsoft 3D Viewer Base3D Code Execution (October 2020)

The Microsoft 3D Viewer app installed on the remote host is affected by a code execution vulnerability when the Base3D rendering engine improperly handles memory. An attacker who successfully exploited the vulnerability would gain execution on a victim system. C Tenable Network Security, Inc...

Apache Log4j 1.x Multiple Vulnerabilities

According to its self-reported version number, the installation of Apache Log4j on the remote host is 1.x and is no longer supported. Log4j reached its end of life prior to 2016. Additionally, Log4j 1.x is affected by multiple vulnerabilities, including : - Log4j includes a SocketServer that...

Oracle iPlanet Web Server 7.0.x < 7.0.27 NSS Unspecified Vulnerability (January 2018 CPU)

According to its self-reported version, the Oracle iPlanet Web Server formerly known as Sun Java System Web Server running on the remote host is 7.0.x prior to 7.0.27 Patch 26834070. It is, therefore, affected by an unspecified vulnerability in the Network Security Services NSS library with unkno...

LDAP NULL BASE Search Access

The remote LDAP server supports search requests with a NULL, or empty, base object. This allows information to be retrieved without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user may be able to query your LDAP server using a tool such as 'LdapMiner'...

Browsable Web Directories

Multiple Nessus plugins identified directories on the web server that are browsable. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. include'deprecatednasllevel.inc'; include'compat.inc'; if description scriptid40984; scriptversion"1.10"; scriptsetattributeattribute:"pluginmodificationdate",...

BMC Server Automation RSCD Agent Weak ACL XML-RPC Arbitrary Command Execution

The RSCD agent running on the remote host does not have access controls in place to prevent an attacker from executing XML-RPC commands. An unauthenticated, remote attacker can exploit this to execute arbitrary commands in the context of the user in which the connections are mapped. C Tenable...

Apache 2.4.x < 2.4.59 Multiple Vulnerabilities

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.59. It is, therefore, affected by multiple vulnerabilities: - Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses...

Target Access Problems by Authentication Protocol - Maximum Privilege Account Used in Scan

Nessus was able to log in to the remote host using the provided credentials. The provided credentials have the highest privilege possible on the remote host. Yet Nessus encountered permissions issues while accessing items during the scan. It is likely that this condition is caused by one or more ...

Oracle Java Runtime Environment (JRE) Detection

One or more instances of Oracle's formerly Sun's Java Runtime Environment JRE is installed on the remote host. This may include private JREs bundled with the Java Development Kit JDK. - Additional instances of Java may be discovered if thorough tests are enabled. C Tenable Network Security, Inc...

EulerOS Virtualization 2.5.1 : kernel (EulerOS-SA-2018-1280)

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted...

PHP Version Detection

Nessus was able to determine the version of PHP available on the remote web server. C Tenable Network Security, Inc. include'compat.inc'; if description scriptid48243; scriptversion"1.32"; scriptsetattributeattribute:"pluginmodificationdate", value:"2026/01/22"; scriptxrefname:"IAVT",...

Operating System Unsupported Version Detection in banner reporting (PCI-DSS check)

A service banner response from the remote host indicates an operating system install at a level that indicates the operating system running on the remote host is no longer supported. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, ...

Server Message Block (SMB) Protocol Version 1 Enabled

The remote Windows host supports Server Message Block Protocol version 1 SMBv1. Microsoft recommends that users discontinue the use of SMBv1 due to the lack of security features that were included in later SMB versions. Additionally, the Shadow Brokers group reportedly has an exploit that affects...

Cisco IOS Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp)

According to its self-reported version and configuration, the Cisco IOS software running on the remote device is affected by a remote code execution vulnerability in the Cluster Management Protocol CMP subsystem due to improper handling of CMP-specific Telnet options. An unauthenticated, remote...

MS11-004: Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution (2489256)

The IIS FTP service running on the remote host has a heap-based buffer overflow vulnerability. The 'TELNETSTREAMCONTEXT::OnSendData' function fails to properly sanitize user input, resulting in a buffer overflow. An unauthenticated, remote attacker can exploit this to execute arbitrary code. C...