CVE-2024-1471 — Improper Input Validation in Security Center

CWE-20 — Improper Input Validation CWE-79 — Cross-site Scripting6 documents5 sources

Severity

4.8MEDIUMNVD

CNA5.9

EPSS

0.2%

top 63.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tenable Security Center

Timeline

PublishedFeb 14

Latest updateAug 17

Description

An HTML injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Repository parameters, which could lead to HTML redirection attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5tenable/security_center< 6.3.0

▶NVDtenable/security_center< 6.3.0

🔴Vulnerability Details

GHSA

GHSA-9j55-g998-6v4p: An HTML injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could↗2024-02-15

▶

CVEList

HTML Injection Vulnerability↗2024-02-14

▶

📋Vendor Advisories

Red Hat

kernel: ipvs: properly dereference pe in ip_vs_add_service↗2024-08-17

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Third Party (SnakeYAML) — CVE-2022-1471↗2024-04-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: PSR Designer (SnakeYAML) — CVE-2022-1471↗2024-01-15

▶