Vulnerability Details : CVE-2019-11454
Potential exploit
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-11454
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:a:mmonit:monit:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-11454
1.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11454
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2019-11454
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-11454
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L475QJMFFI2QV5QEHAKKPVX6QX6ECUL6/
[SECURITY] Fedora 31 Update: monit-5.26.0-1.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQDHRSKTEX5MSYXNCGFTUSFGANBARHX/
[SECURITY] Fedora 32 Update: monit-5.26.0-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c
tildeslash / Monit / commit / 328f60773057 — BitbucketPatch;Third Party Advisory
-
https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
tildeslash / Monit / commit / 1a8295eab681 — BitbucketPatch;Third Party Advisory
-
https://usn.ubuntu.com/3971-1/
USN-3971-1: Monit vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/04/msg00028.html
[SECURITY] [DLA 1767-1] monit security updateMailing List;Third Party Advisory
-
https://github.com/dzflack/exploits/blob/master/unix/monit_xss.py
exploits/monit_xss.py at master · dzflack/exploits · GitHubExploit;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/12/msg00018.html
[SECURITY] [DLA 2855-1] monit security updateMailing List;Third Party Advisory
Jump to