CVE-2024-9158: 
Tenable Nessus Network Monitor vulnerability analysis and mitigation

A stored cross site scripting vulnerability (CVE-2024-9158) was discovered in Nessus Network Monitor that affects versions 6.4.1 and earlier. The vulnerability was disclosed on September 30, 2024, and allows an authenticated, privileged local attacker to inject arbitrary code into the NNM UI via the local CLI (Tenable Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.4 (HIGH) with the vector string AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H according to Tenable, while NIST assigned a more moderate score of 4.6 with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

If successfully exploited, this vulnerability could allow an authenticated attacker with high privileges to inject arbitrary code into the Nessus Network Monitor user interface, potentially leading to the execution of malicious code in the context of other users' browsers who access the affected interface (Tenable Advisory).

Tenable has released Nessus Network Monitor version 6.5.0 to address this vulnerability. Users are advised to upgrade to this version. The fix can be obtained from the Tenable Downloads Portal (Tenable Advisory).