0 Replies Latest reply: Sep 23, 2013 10:53 AM by ktodd RSS

Advisory - Cross-Site Scripting Vulnerability in SecurityCenter

ktodd Apprentice

Tenable SecurityCenter 4.6 - 4.7 devform.php message Parameter Reflected XSS

Tenable Network Security (http://tenable.com/)


Disclosure Date: September 23, 2013

CVE: CVE-2013-5911

OSVDB: 97584

Product: SecurityCenter (http://tenable.com/products/securitycenter)

Versions affected: 4.6.x, 4.6.x.x, 4.7

Risk factor: Medium / CVSS Base Score 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

Credit: Jamieson O'Reilly





SecurityCenter contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the devform.php script, a development tool to interact with the API for   testing purposes, does not validate the 'message' parameter upon submission. This may allow an unauthenticated attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server, when the victim clicked on the URL.




For existing installations, as an administrative user of the system, remove the 'devform.php' script from the server, or restrict access to the script.

# rm -f /opt/sc4/www/devform.php




Vendor contact: 2013-09-05

Vendor reply: 2013-09-05

Disclosure: 2013-09-23