CVE-2019-11454

Опубликовано: 22 апр. 2019

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.

Ссылки

https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
Patch
Third Party Advisory
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c
Patch
Third Party Advisory
https://github.com/dzflack/exploits/blob/master/unix/monit_xss.py
Exploit
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/04/msg00028.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00018.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZQDHRSKTEX5MSYXNCGFTUSFGANBARHX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L475QJMFFI2QV5QEHAKKPVX6QX6ECUL6/
https://usn.ubuntu.com/3971-1/
Third Party Advisory
https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
Patch
Third Party Advisory
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c
Patch
Third Party Advisory
https://github.com/dzflack/exploits/blob/master/unix/monit_xss.py
Exploit
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/04/msg00028.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00018.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZQDHRSKTEX5MSYXNCGFTUSFGANBARHX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L475QJMFFI2QV5QEHAKKPVX6QX6ECUL6/
https://usn.ubuntu.com/3971-1/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mmonit:monit:*:*:*:*:*:*:*:*

Версия до 5.25.3 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

EPSS

Процентиль: 78%

0.01161

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

CVE-2019-11454

CVSS3: 6.1

ubuntu

почти 7 лет назад

CVE-2019-11454

CVSS3: 6.1

debian

почти 7 лет назад

Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash ...

GHSA-8hqm-hwvr-wgv7

CVSS3: 6.1

github

больше 3 лет назад

Cross-site scripting

BDU:2020-01554

CVSS3: 6.1

fstec

почти 7 лет назад

Уязвимость утилиты для управления и мониторинга процессов, программ, файлов и каталогов Monit, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 78%

0.01161

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79