All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.

The version of IBM Cognos Analytics installed on the remote host is prior to 11.1.7 FP8, 11.2.4 FP3, or 12.0.2. It is, therefore, affected by multiple vulnerabilities as referenced in the IBM Security Bulletin No. 7123154, including the following:

  - When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the   allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using   Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which   addresses this issue. (CVE-2023-39410)

  - In order to decrypt SM2 encrypted data an application is expected to call the API function   EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the   'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required   to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call   EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the   implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the   plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by   the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a   second time with a buffer that is too small. A malicious attacker who is able present SM2 content for   decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of   62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour   or causing the application to crash. The location of the buffer is application dependent but is typically   heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). (CVE-2021-3711)

  - SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
  Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using   SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend   upgrading to version 2.0 and beyond. (CVE-2022-1471)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Tenable Nessus application running on the remote host is 10.4.2 or earlier. It is, therefore, affected by multiple vulnerabilities in OpenSSL prior to version 3.0.8, spin.js prior to version 2.3.2, and datatables.net prior to version 1.13.2:
    
    - An attacker that had observed a genuine connection between a client and a server could use the flaw to send trial       messages to the server and record the time taken to process them. After a sufficiently large number of messages       the attacker could recover the pre-master secret used for the original connection. (CVE-2022-4304)

    - The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes any header data and the payload       data. Under certain conditions, a double free will occur. This will most likely lead to a crash. (CVE-2022-4450)

    - The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. Under certain conditions,       the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously       freed filter BIO. This will most likely result in a crash. (CVE-2023-0215)

    - An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data. The result of the       dereference is an application crash which could lead to a denial of service attack. (CVE-2023-0216)

    - An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the       EVP_PKEY_public_check() function. This will most likely lead to an application crash. (CVE-2023-0217)

    - A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash       algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the       digest initialization will fail. (CVE-2023-0401) 

    - A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking, which       might result in a crash which could lead to a denial of service attack. (CVE-2022-4203)

    - All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for       https:/snyk.io/vuln/SNYK-JS-DATATABLESNET-598806. (CVE-2020-28458)

    - With the package datatables.net before 1.11.3 if an array is passed to the HTML escape entities function it would not       have its contents escaped. (CVE-2021-23445)

    - jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of       Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the       native Object.prototype. (CVE-2019-11358)

    - In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted       sources, even after sanitizing it, to one of jQuery DOM manipulation methods may execute untrusted code. (CVE-2020-11023)

    - jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method that fails to recognize and remove <script>       HTML tags that contain a whitespace character and trigger execution of the enclosed script logic. (CVE-2020-7656)

According to its self-reported version, the Tenable Nessus application running on the remote host is 10.x prior to 10.3.1. It is, therefore, affected by multiple vulnerabilities, including:

  - A use-after-free vulnerability in the doContent function in xmlparse.c in libexpat. (CVE-2022-40674)

  - A path traversal vulnerability in the locale string handling functionality of Moment.js. (CVE-2022-24785)

  - A denial of service vulnerability in the string-to-date parsing functinality in Moment.js (CVE-2022-31129)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1169 advisory.

  - nodejs-bootstrap-select: not escaping title values on <option> may lead to XSS (CVE-2019-20921)

  - m2crypto: bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657)

  - datatables.net: prototype pollution if 'constructor' were used in a data property name (CVE-2020-28458)

  - nodejs-immer: prototype pollution may lead to DoS or remote code execution (CVE-2020-28477)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:1186 advisory.

  - nodejs-bootstrap-select: not escaping title values on <option> may lead to XSS (CVE-2019-20921)

  - datatables.net: prototype pollution if 'constructor' were used in a data property name (CVE-2020-28458)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2021:1184 advisory.

  - datatables.net: prototype pollution if 'constructor' were used in a data property name (CVE-2020-28458)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
193868	IBM Cognos Analytics 11.1.1 < 11.1.7 FP8 / 11.2.x < 11.2.4 FP3 / 12.0.x < 12.0.2 (7123154)	Nessus	CGI abuses	critical
172124	Tenable Nessus <= 10.4.2 Multiple Vulnerabilities (TNS-2023-09)	Nessus	Misc.	high
166600	Tenable Nessus 10.x < 10.3.1 Multiple Vulnerabilities (TNS-2022-20)	Nessus	Misc.	critical
148572	RHEL 8 : RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] security, bug fix, enhancement (Moderate) (RHSA-2021:1169)	Nessus	Red Hat Local Security Checks	high
148566	RHEL 8 : RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] 0-day security, bug fix, enhance (Moderate) (RHSA-2021:1186)	Nessus	Red Hat Local Security Checks	high
148540	RHEL 8 : RHV RHEL Host (ovirt-host) 4.4.z [ovirt-4.4.5] security, bug fix, enhancement (Moderate) (RHSA-2021:1184)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2020-28458

high

Tenable Plugins

critical

high

critical

high

high

high