Lucene search

K

Veracode Vulnerability DatabaseVERACODE:33478

HistoryDec 29, 2021 - 6:55 a.m.

Cross-site Scripting (XSS)

2021-12-2906:55:01

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

13

monit:stretch

software vulnerability

lack of sanitization

http basic authentication

user field

viewlog operation

EPSS

0.002

Percentile

55.2%

monit:stretch is vulnerable to cross-site scripting. Lack of proper sanitization in http/cervlet.c allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.

References

bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3

bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c

github.com/dzflack/exploits/blob/master/unix/monit_xss.py

lists.debian.org/debian-lts-announce/2019/04/msg00028.html

lists.debian.org/debian-lts-announce/2021/12/msg00018.html

lists.fedoraproject.org/archives/list/[email protected]/message/HZQDHRSKTEX5MSYXNCGFTUSFGANBARHX/

lists.fedoraproject.org/archives/list/[email protected]/message/L475QJMFFI2QV5QEHAKKPVX6QX6ECUL6/

security-tracker.debian.org/tracker/CVE-2019-11454

usn.ubuntu.com/3971-1/

EPSS

0.002

Percentile

55.2%

Related for VERACODE:33478

debiancve1 alpinelinux1 prion1 nvd2 cve2 ubuntucve1 cvelist1 osv4 fedora2 debian2 nessus5 mageia1 openvas8 ubuntu2