Tenable.sc 5.21.0

CPE Details

Tenable.sc 5.21.0
tenable
tenable.sc
5.21.0
2022-04-21
11h08 +00:00
2022-04-22
16h04 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:tenable:tenable.sc:5.21.0:*:*:*:*:*:*:*

Informations

Vendor

tenable

Product

tenable.sc

Version

5.21.0

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2023-0476 2023-01-25 00h00 +00:00 A LDAP injection vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users. An authenticated attacker could generate data in Active Directory using the application account through blind LDAP injection.
6.5
Medium
CVE-2023-24493 2023-01-25 00h00 +00:00 A formula injection vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users. An authenticated attacker could leverage the reporting system to export reports containing formulas, which would then require a victim to approve and execute on a host.
5.7
Medium
CVE-2023-24494 2023-01-25 00h00 +00:00 A stored cross-site scripting (XSS) vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users. An authenticated, remote attacker can exploit this by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session.
5.4
Medium
CVE-2023-24495 2023-01-25 00h00 +00:00 A Server Side Request Forgery (SSRF) vulnerability exists in Tenable.sc due to improper validation of session & user-accessible input data. A privileged, authenticated remote attacker could interact with external and internal services covertly.
6.5
Medium
CVE-2021-44224 2021-12-20 10h20 +00:00 A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
8.2
High
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.