[R2] SecurityCenter 5.7.0 Fixes Multiple Vulnerabilities

SecurityCenter leverages third-party software to help provide underlying functionality. Two separate third-party components (PHP and jQuery) were found to contain vulnerabilities, and updated versions have been made available by the providers.

Out of caution and in line with good practice, Tenable opted to upgrade the bundled libraries to address the potential impact of these issues in SecurityCenter. SecurityCenter 5.7.0 updates PHP to version 7.1.15 and jQuery to version 3.3.1 to address the identified vulnerabilities. Please see the Additional References section below for related information and CVE ID's.

Several additional vulnerabilities have also been fixed in SecurityCenter 5.7.0:

1. In SecurityCenter versions prior to 5.7.0, a username enumeration issue could allow an unauthenticated attacker to automate the discovery of username aliases via brute force, ultimately facilitating unauthorized access. Server response output has been unified to correct this issue. (CVE-2018-1154)

2. In SecurityCenter versions prior to 5.7.0, a cross-site scripting (XSS) issue could allow an authenticated attacker to inject JavaScript code into an image filename parameter within the Reports feature area. Properly updated input validation techniques have been implemented to correct this issue. (CVE-2018-1155)