Vulnerabilities > CVE-2007-3546 - Script HTML Injection vulnerability in Nessus Windows GUI

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

nessus

NVD

Published: 2007-07-03

Updated: 2017-07-29

Summary

Cross-site scripting (XSS) vulnerability in the Windows GUI in Nessus Vulnerability Scanner before 3.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Configurations

Part	Description	Count
Application	Nessus Nessus Nessus *	1

Nessus

NASL family	Windows
NASL id	NESSUS_WINDOWS_GUI_XSS.NASL
description	According to its self-reported version number, the Tenable Nessus application running on the remote host is affected by a cross-site scripting (XSS) vulnerability due to a failure to properly sanitize user-supplied input before using it to generate dynamic content. An unauthenticated, remote attacker can exploit this issue to inject arbitrary HTML or script code into a user
last seen	2020-06-01
modified	2020-06-02
plugin id	25612
published	2007-06-29
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/25612
title	Nessus Windows < 3.0.6 GUI Unspecified XSS
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(25612); script_version("1.23"); script_cvs_date("Date: 2018/07/16 14:09:15"); script_cve_id("CVE-2007-3546"); script_bugtraq_id(24677); script_name(english:"Nessus Windows < 3.0.6 GUI Unspecified XSS"); script_summary(english:"Checks version of Nessus"); script_set_attribute(attribute:"synopsis", value: "An application running on the remote host is affected by a cross-site scripting vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Tenable Nessus application running on the remote host is affected by a cross-site scripting (XSS) vulnerability due to a failure to properly sanitize user-supplied input before using it to generate dynamic content. An unauthenticated, remote attacker can exploit this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected host."); script_set_attribute(attribute:"see_also", value:"https://exchange.xforce.ibmcloud.com/vulnerabilities/35118"); script_set_attribute(attribute:"solution", value:"Upgrade to Nessus for Windows version 3.0.6 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/06/29"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:nessus:nessus"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("smb_func.inc"); include("audit.inc"); # Connect to the appropriate share. if (!get_kb_item("SMB/Registry/Enumerated")) exit(0); port = kb_smb_transport(); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init'); rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$"); if (rc != 1) { NetUseDel(); audit(AUDIT_SHARE_FAIL,"IPC$"); } # Connect to remote registry. hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE); if (isnull(hklm)) { NetUseDel(); audit(AUDIT_REG_FAIL); } # Get some info about the install. path = NULL; key = "SOFTWARE\Tenable\Nessus"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { value = RegQueryValue(handle:key_h, item:"PATH"); if (!isnull(value)) { path = value[1]; path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path); } RegCloseKey(handle:key_h); } RegCloseKey(handle:hklm); # If it is... if (path) { # Make sure the executable exists. share = ereg_replace(pattern:"^([A-Za-z]):.", replace:"\1$", string:path); exe = ereg_replace(pattern:"^[A-Za-z]:(.)", replace:"\1\NessusGUI.exe", string:path); NetUseDel(close:FALSE); rc = NetUseAdd(login:login, password:pass, domain:domain, share:share); if (rc != 1) { NetUseDel(); audit(AUDIT_SHARE_FAIL,share); } fh = CreateFile( file:exe, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING ); if (!isnull(fh)) { ver = GetFileVersion(handle:fh); CloseFile(handle:fh); } # There's a problem if the version is < 3.0.6 if (!isnull(ver)) { fix = split("3.0.6.0", sep:'.', keep:FALSE); for (i=0; i<4; i++) fix[i] = int(fix[i]); for (i=0; i<max_index(ver); i++) if ((ver[i] < fix[i])) { # nb: only the first 3 parts are reported to end-users. version = string(ver[0], ".", ver[1], ".", ver[2]); report = string( "The Nessus Windows GUI ", version, " is installed under :\n", "\n", " ", path, "\n" ); security_warning(port:port, extra: report); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); break; } else if (ver[i] > fix[i]) break; } } # Clean up. NetUseDel();

Summary

Vulnerable Configurations

Nessus

References