CVE-2016-82012

critical

Description

Tenable recently worked with Synacktiv to perform security testing for Nessus, as part of an ongoing initiative to proactively address security issues. During the test, their team found two issues that may impact a Nessus vulnerability scanner. Both issues require user authentication to exploit: CVE-2016-82012 - Stored XSS CVE-2016-82013 - XML External Entity (XXE) Expansion DoS Note that the CVSS score reflects the higher of the two issues (XXE). Further, Tenable strongly recommends that these products be installed on a subnet that is not Internet addressable. Tenable has released version 6.6 that corresponds to the supported operating systems and architectures. To update your Nessus installation, follow these steps: Download the appropriate installation file to the system hosting Nessus or Nessus Enterprise, available at the Tenable Support Portal (https://support.tenable.com/support-center/index.php?x=&mod_id=200) Stop the Nessus service. Install according to your operating system procedures. Restart the Nessus service. Tenable Appliance: Tenable Appliance users can upgrade to version 4.2.0, which is not affected. Updates can be obtained from https://support.tenable.com/support-center/index.php?x=&mod_id=230.

Details

Source: Mitre, NVD

Published: 2016-04-11

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 9.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Severity: Critical