CVE-2018-1147

MEDIUM

Nessus < 7.1.0 - Authenticated Stored Cross-Site Scripting via .nessus File Upload

Title source: llm
STIX 2.1

Description

In Nessus before 7.1.0, a XSS vulnerability exists due to improper input validation. A remote authenticated attacker could create and upload a .nessus file, which may be viewed by an administrator allowing for the execution of arbitrary script code in a user's browser session. In other scenarios, XSS could also occur by altering variables from the Advanced Settings.

References (2)

Core 2
Core References
Vendor Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2018-05
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040918

Scores

CVSS v3 5.4
EPSS 0.0036
EPSS Percentile 58.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
tenable/nessus < 7.1.0
Published May 18, 2018
Tracked Since Feb 18, 2026