CVE-2019-11454

NameCVE-2019-11454
DescriptionPersistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1767-1
NVD severitymedium
Debian Bugs927775

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
monit (PTS)stretch1:5.20.0-6+deb9u1vulnerable
bullseye, sid1:5.26.0-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
monitsource(unstable)1:5.25.3-1927775
monitsourcejessie1:5.9-1+deb8u2DLA-1767-1

Notes

[stretch] - monit <no-dsa> (Minor issue)
https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c

Search for package or bug name: Reporting problems