CVE-2019-11454

NameCVE-2019-11454
DescriptionPersistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1767-1, DLA-2855-1
Debian Bugs927775

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
monit (PTS)bullseye1:5.27.2-1fixed
bookworm1:5.33.0-1fixed
sid, trixie1:5.33.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
monitsourcejessie1:5.9-1+deb8u2DLA-1767-1
monitsourcestretch1:5.20.0-6+deb9u2DLA-2855-1
monitsource(unstable)1:5.25.3-1927775

Notes

https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c
Search for package or bug name: Reporting problems