PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-9261 Tenable CVE debrief

CVE-2016-9261 describes a cross-site scripting (XSS) issue in Tenable Log Correlation Engine (LCE) before 4.8.1. The flaw can be triggered by a remote authenticated user and may allow injection of arbitrary web script or HTML, creating a risk of session theft, page tampering, or other browser-side abuse in affected admin or user workflows.

Vendor
Tenable
Product
CVE-2016-9261
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-28
Original CVE updated
2026-05-13
Advisory published
2017-02-28
Advisory updated
2026-05-13

Who should care

Organizations running Tenable Log Correlation Engine (LCE), especially teams that allow remote authenticated access to the product’s web interface. Security administrators, vulnerability management teams, and anyone responsible for Tenable appliance hardening and patching should prioritize review.

Technical summary

NVD maps this issue to CWE-79 (Cross-site Scripting) and gives it CVSS 3.1 vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, low attack complexity, required low-privilege authentication, and user interaction. The vulnerable version range in the official record is Tenable LCE through 4.8.0; versions before 4.8.1 are affected. The impact is browser-context script or HTML injection rather than direct availability loss.

Defensive priority

Medium. The issue is authenticated, but it is network-reachable and can affect confidentiality and integrity within the browser context. Prioritize if LCE is exposed to remote users or used for sensitive administrative workflows.

Recommended defensive actions

  • Upgrade Tenable Log Correlation Engine to version 4.8.1 or later.
  • Review and apply the vendor guidance in Tenable advisory TNS-2016-18.
  • Restrict remote authenticated access to LCE to only necessary administrators and networks.
  • Validate that web input handling and output encoding controls are in place around any custom integrations or workflows that surface user-controlled content.
  • Monitor for unexpected script-bearing input or anomalous browser-side behavior in LCE sessions.

Evidence notes

The official NVD record states that Tenable Log Correlation Engine before 4.8.1 is vulnerable to XSS and links the issue to CWE-79. The NVD CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. A vendor advisory/patch reference is listed at https://www.tenable.com/security/tns-2016-18. CVE publication date used here is 2017-02-28, with the record later modified on 2026-05-13; the modification date is not treated as the issue date.

Official resources

CVE published by the official record on 2017-02-28. The NVD entry was later modified on 2026-05-13; this debrief uses the published CVE date for disclosure context and the modified date only as record-update context.