CVE-2019-3923

Nessus versions 8.2.1 and earlier were found to contain a stored XSS vulnerability due to improper validation of user-supplied input. An authenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a user's browser session. Tenable has released Nessus 8.2.2 to address this issue.

CVSS v3 5.4 MEDIUM
CVSS v2.0 3.5 LOW

5.4^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://www.tenable.com/security/tns-2019-01	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tenable:nessus:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-02-12 04:29

Updated : 2023-12-10 12:44

NVD link : CVE-2019-3923

Mitre link : CVE-2019-3923

CVE.ORG link : CVE-2019-3923

JSON object : View

Products Affected

tenable

nessus

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2019-3923", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2019-02-12T04:29:00.690", "references": [{"url": "https://www.tenable.com/security/tns-2019-01", "tags": ["Vendor Advisory"], "source": "vulnreport@tenable.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Nessus versions 8.2.1 and earlier were found to contain a stored XSS vulnerability due to improper validation of user-supplied input. An authenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a user's browser session. Tenable has released Nessus 8.2.2 to address this issue."}, {"lang": "es", "value": "Nessus, en versiones 8.2.1 y anteriores, conten\u00eda una vulnerabilidad Cross-Site Scripting (XSS) persistente debido a la validaci\u00f3n incorrecta de entradas proporcionadas por el usuario. Un atacante remoto autenticado podr\u00eda explotar esta vulnerabilidad mediante una petici\u00f3n especialmente manipulada para ejecutar c\u00f3digo script arbitrario en la sesi\u00f3n de navegaci\u00f3n de un usuario. Tenable ha lanzado la versi\u00f3n 8.2.2 de Nessus para abordar este problema."}], "lastModified": "2019-02-12T14:55:30.950", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tenable:nessus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "788872E9-0FD3-433B-A349-4087766F8CBB", "versionEndIncluding": "8.2.1"}], "operator": "OR"}]}], "sourceIdentifier": "vulnreport@tenable.com"}