SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   Nessus Vendors:   Deraison, Renaud et al, Tenable Network Security
Tenable Nessus Access Control Flaw in Web UI Lets Remote Users Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1030614
SecurityTracker URL:  http://securitytracker.com/id/1030614
CVE Reference:   CVE-2014-4980   (Links to External Site)
Date:  Jul 21 2014
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.2.3 - 5.2.7; Web UI 2.3.4
Description:   A vulnerability was reported in Tenable Nessus. A remote user can obtain potentially sensitive information.

A remote user can send a specially crafted request to the '/server/properties' URL to obtain potentially sensitive information without authenticating.

The vendor was notified on June 24, 2014.

The following data can be obtained:

Plugin Set
Server uuid
Web Server Version
Nessus UI Version
Nessus Type
Notifications
MSP
Capabilities
Multi Scanner
Multi User
Tags
Reset Password
Report Diff
Report Email Config
Report Email
PCI Upload
Plugin Rules
Plugin Set
Idle Timeout
Scanner Boot time
Server Version
Feed
Status

The original advisory is available at:

http://www.halock.com/blog/cve-2014-4980-parameter-tampering-nessus-web-ui/

Robert Gilbert of HALOCK Security Labs reported this vulnerability.

Impact:   A remote user can obtain potentially sensitive information.
Solution:   The vendor has issued a fix (Web UI 2.3.5).

The vendor's advisory is available at:

http://www.tenable.com/security/tns-2014-05

Vendor URL:  www.tenable.com/security/tns-2014-05 (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC