Tenable SecurityCenter 5.4.x <= 5.4.3 PHP Object Deserialization Remote File Deletion (TNS-2017-05)
Medium Nessus Plugin ID 97575
SynopsisAn application installed on the remote host is affected by a PHP object deserialization vulnerability.
DescriptionAccording to its version, the installation of Tenable SecurityCenter on the remote host is affected by a PHP object deserialization vulnerability in the PluginParser.php script. An authenticated, remote attacker can exploit this, by uploading a specially crafted PHP object, to delete arbitrary files on the remote host.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
SolutionApply the appropriate patch referenced in the vendor advisory.