CVE-2019-11454

NameCVE-2019-11454
DescriptionPersistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1767-1
NVD severitymedium (attack range: remote)
Debian Bugs927775

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
monit (PTS)jessie1:5.9-1+deb8u1vulnerable
jessie (security)1:5.9-1+deb8u2fixed
stretch1:5.20.0-6vulnerable
bullseye1:5.26.0-1fixed
sid1:5.26.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
monitsource(unstable)1:5.25.3-1medium927775
monitsourcejessie1:5.9-1+deb8u2mediumDLA-1767-1

Notes

https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c

Search for package or bug name: Reporting problems