Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0098 A vulnerability has been identified in Tenable Nessus 19 August 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tenable Nessus Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2010-2914 Member content until: Thursday, September 18 2014 OVERVIEW A vulnerability has been identified in Tenable Nessus prior to version 1.2.4 of the Web GUI. [1] IMPACT The vendor has provided the following details regarding this vulnerability which was first disclosed in 2010: "Nessus contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the Web GUI (nessusd_www_server.nbin) does not validate unspecified input to a GET parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server." [1] MITIGATION The vendor has stated that by default Nessus updates plugins daily, so users do not need to do anything to receive this update. [1] REFERENCES [1] [R2] Tenable Nessus Web UI Reflected XSS http://www.tenable.com/security/tns-2010-01 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU/KwjxLndAQH1ShLAQLHhg/+P2ENMc1cGdjCoXngHRkWFnEZtjgREPNV jnaEoII18RibNyG8/f+E6tZJVPfZ8c4yuK8IFp3guNKumOeRkaYWnB+RdNOJ+ksr X+KKIQjhL1EEmLJdFiEI6Xi+FlRJPn0ONCMHrUtQUoMJYXPDijxR8IivPpQR+aAw Gy6uUW62M6kYNLxZ8I0PLfGFRkk5GQ3P6HP2SWWpFPa6YpJcH4eFo9yk2B5Da6ac OwqjpmiuwQy3g1gmuAifZpgAfN2tSNCcIkm/Y97zOBolq4XS/knQlB/jmFKAKnHh pm2kAH91bkX8sblHjQrEGjDORWZCLxABC/4aMyYc9wlMacHufaQGTTkxaLYc3L2V VMGOuJ65lTtvFMLmZ7pN5uTgBzQRVSoIKhfGKUsqorNgBDrGtxrNUC9nEFcH+k5W hhIvy7zuYn78HDWWlWNorT19jXggp1yb0GBAsAMc7msDQhq0MpwYcec5DPlaP+KC LQV+bWQuWpZTnpPDb+Q+Sjl5k2KTBEZ/ZAvKXlsui1CGXRlBkmu38Q6WG2VfyOIb P5X9DZq25MK2VVF2RJgHtwtFLang7TYF0jlQfsWQf2eb5VFAXGWEpAFhjTs5U4YB Cinytq4l/9Ii/39FonOuOm4pzlJ76A3Gz0Rok8XgVXngAe4zLM7/hyZJS4Ypm1q+ Ppozx7/Nwpw= =Jckn -----END PGP SIGNATURE-----