CVE-2024-1891 - Vulnerability Details - OpenCVE

Description

A stored cross site scripting vulnerability exists in Tenable Security Center where an authenticated, remote attacker could inject HTML code into a web application scan result page.

Published: 2024-06-12

Score: 3.5 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Tenable

Security Center

affected

Version	Status	Constraints
`0`	affected	< 6.4.0

Configuration 1 [-]

cpe:2.3:a:tenable:security_center:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Tenable has released Security Center 6.4.0 to address these issues. The installation files can be obtained from the Tenable Downloads Portal: https://www.tenable.com/downloads/security-center

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-17614	A stored cross site scripting vulnerability exists in Tenable Security Center where an authenticated, remote attacker could inject HTML code into a web application scan result page.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00214.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.tenable.com/security/tns-2024-10

History

Fri, 23 Aug 2024 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tenable Tenable security Center
CPEs		cpe:2.3:a:tenable:security_center::::::::
Vendors & Products		Tenable Tenable security Center

Subscriptions

Tenable Security Center

MITRE

Status: PUBLISHED

Assigner: tenable

Published: 2024-06-12T15:56:41.242Z

Updated: 2024-08-01T18:56:22.481Z

Reserved: 2024-02-26T15:14:19.218Z

Link: CVE-2024-1891

Vulnrichment

Updated: 2024-08-01T18:56:22.481Z

NVD

Status : Modified

Published: 2024-06-12T16:15:10.887

Modified: 2024-11-21T08:51:32.257

Link: CVE-2024-1891

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1891", "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "state": "PUBLISHED", "assignerShortName": "tenable", "dateReserved": "2024-02-26T15:14:19.218Z", "datePublished": "2024-06-12T15:56:41.242Z", "dateUpdated": "2024-08-01T18:56:22.481Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Security Center", "vendor": "Tenable", "versions": [{"lessThan": "6.4.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Pawe\u0142 Bednarz"}], "datePublic": "2024-06-10T19:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nA stored cross site scripting vulnerability exists in Tenable Security Center where an authenticated, remote attacker could inject HTML code into a web application scan result page.\n\n"}], "value": "A stored cross site scripting vulnerability exists in Tenable Security Center where an authenticated, remote attacker could inject HTML code into a web application scan result page."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable", "dateUpdated": "2024-06-12T15:56:41.242Z"}, "references": [{"url": "https://www.tenable.com/security/tns-2024-10"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nTenable has released Security Center 6.4.0 to address these issues. The installation files can be obtained from the Tenable Downloads Portal: <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.tenable.com/downloads/security-center\">https://www.tenable.com/downloads/security-center</a>\n\n<br>"}], "value": "Tenable has released Security Center 6.4.0 to address these issues. The installation files can be obtained from the Tenable Downloads Portal: https://www.tenable.com/downloads/security-center"}], "source": {"advisory": "TNS-2024-10", "discovery": "EXTERNAL"}, "title": "Stored Cross Site Scripting", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "tenable", "product": "security_center", "cpes": ["cpe:2.3:a:tenable:security_center:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "0", "status": "affected", "lessThan": "6.4.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-12T17:55:20.674084Z", "id": "CVE-2024-1891", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T18:09:01.056Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:56:22.481Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.tenable.com/security/tns-2024-10", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.tenable.com/security/tns-2024-10", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:56:22.481Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1891", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-12T17:55:20.674084Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:tenable:security_center:*:*:*:*:*:*:*:*"], "vendor": "tenable", "product": "security_center", "versions": [{"status": "affected", "version": "0", "lessThan": "6.4.0", "versionType": "custom"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T18:08:57.863Z"}}], "cna": {"title": "Stored Cross Site Scripting", "source": {"advisory": "TNS-2024-10", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Pawe\u0142 Bednarz"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Tenable", "product": "Security Center", "versions": [{"status": "affected", "version": "0", "lessThan": "6.4.0", "versionType": "custom"}], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "Tenable has released Security Center 6.4.0 to address these issues. The installation files can be obtained from the Tenable Downloads Portal: https://www.tenable.com/downloads/security-center", "supportingMedia": [{"type": "text/html", "value": "\n\nTenable has released Security Center 6.4.0 to address these issues. The installation files can be obtained from the Tenable Downloads Portal: <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.tenable.com/downloads/security-center\">https://www.tenable.com/downloads/security-center</a>\n\n<br>", "base64": false}]}], "datePublic": "2024-06-10T19:00:00.000Z", "references": [{"url": "https://www.tenable.com/security/tns-2024-10"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A stored cross site scripting vulnerability exists in Tenable Security Center where an authenticated, remote attacker could inject HTML code into a web application scan result page.", "supportingMedia": [{"type": "text/html", "value": "\n\nA stored cross site scripting vulnerability exists in Tenable Security Center where an authenticated, remote attacker could inject HTML code into a web application scan result page.\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable", "dateUpdated": "2024-06-12T15:56:41.242Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1891", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:56:22.481Z", "dateReserved": "2024-02-26T15:14:19.218Z", "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "datePublished": "2024-06-12T15:56:41.242Z", "assignerShortName": "tenable"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tenable:security_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "2F327CB2-484E-4AA1-9590-2AC897A6E688", "versionEndExcluding": "6.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A stored cross site scripting vulnerability exists in Tenable Security Center where an authenticated, remote attacker could inject HTML code into a web application scan result page."}, {"lang": "es", "value": "Existe una vulnerabilidad de cross-site scripting almacenado en Tenable Security Center donde un atacante remoto autenticado podr\u00eda inyectar c\u00f3digo HTML en la p\u00e1gina de resultados del an\u00e1lisis de una aplicaci\u00f3n web."}], "id": "CVE-2024-1891", "lastModified": "2024-11-21T08:51:32.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "vulnreport@tenable.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-12T16:15:10.887", "references": [{"source": "vulnreport@tenable.com", "tags": ["Vendor Advisory"], "url": "https://www.tenable.com/security/tns-2024-10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.tenable.com/security/tns-2024-10"}], "sourceIdentifier": "vulnreport@tenable.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "vulnreport@tenable.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}