{"api_version":"1","generated_at":"2026-04-23T00:39:48+00:00","cve":"CVE-2018-1155","urls":{"html":"https://cve.report/CVE-2018-1155","api":"https://cve.report/api/cve/CVE-2018-1155.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-1155","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-1155"},"summary":{"title":"CVE-2018-1155","description":"In SecurityCenter versions prior to 5.7.0, a cross-site scripting (XSS) issue could allow an authenticated attacker to inject JavaScript code into an image filename parameter within the Reports feature area. Properly updated input validation techniques have been implemented to correct this issue.","state":"PUBLIC","assigner":"vulnreport@tenable.com","published_at":"2018-08-02 19:29:00","updated_at":"2018-10-03 18:04:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://www.tenable.com/security/tns-2018-11","name":"https://www.tenable.com/security/tns-2018-11","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"[R2] SecurityCenter 5.7.0 Fixes Multiple Vulnerabilities - Security Advisory | Tenable®","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://www.securitytracker.com/id/1041431","name":"1041431","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"Tenable SecurityCenter PHP/JQuery Component Bugs Let Remote Users Determine Valid Usernames and Let Remote Authenticated Users Conduct Cross-Site Scripting Attacks - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-1155","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1155","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"1155","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"tenable","cpe5":"securitycenter","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1155","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"tenable","cpe5":"securitycenter","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"vulnreport@tenable.com","DATE_PUBLIC":"2018-07-31T00:00:00","ID":"CVE-2018-1155","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"SecurityCenter","version":{"version_data":[{"version_value":"All versions prior to 5.7.0"}]}}]},"vendor_name":"Tenable"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In SecurityCenter versions prior to 5.7.0, a cross-site scripting (XSS) issue could allow an authenticated attacker to inject JavaScript code into an image filename parameter within the Reports feature area. Properly updated input validation techniques have been implemented to correct this issue."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Cross-Site Scripting (XSS)"}]}]},"references":{"reference_data":[{"name":"https://www.tenable.com/security/tns-2018-11","refsource":"CONFIRM","url":"https://www.tenable.com/security/tns-2018-11"},{"name":"1041431","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1041431"}]}},"nvd":{"publishedDate":"2018-08-02 19:29:00","lastModifiedDate":"2018-10-03 18:04:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.3,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:tenable:securitycenter:*:*:*:*:*:*:*:*","versionEndExcluding":"5.7.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"1155","Ordinal":"116410","Title":"CVE-2018-1155","CVE":"CVE-2018-1155","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"1155","Ordinal":"1","NoteData":"In SecurityCenter versions prior to 5.7.0, a cross-site scripting (XSS) issue could allow an authenticated attacker to inject JavaScript code into an image filename parameter within the Reports feature area. Properly updated input validation techniques have been implemented to correct this issue.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"1155","Ordinal":"2","NoteData":"2018-08-02","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"1155","Ordinal":"3","NoteData":"2018-08-12","Type":"Other","Title":"Modified"}]}}}