CVE-2019-11454
- Source
- https://cve.org/CVERecord?id=CVE-2019-11454
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11454.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-11454
- Downstream
- Related
- Published
- 2019-04-22T16:29:01.490Z
- Modified
- 2026-03-13T22:30:12.049854Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZQDHRSKTEX5MSYXNCGFTUSFGANBARHX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L475QJMFFI2QV5QEHAKKPVX6QX6ECUL6/
- https://lists.debian.org/debian-lts-announce/2019/04/msg00028.html
- https://lists.debian.org/debian-lts-announce/2021/12/msg00018.html
- https://usn.ubuntu.com/3971-1/
- https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c
- https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
- https://github.com/dzflack/exploits/blob/master/unix/monit_xss.py
Affected packages
Git / bitbucket.org/tildeslash/monit
Affected ranges
- Type
- GIT
- Repo
- https://bitbucket.org/tildeslash/monit
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixede9e458ae169c1155cdcd9ca956c0cb4b8d5614f9Fixed1a8295eab6815072a18019b668fe084945b751f3Fixed328f60773057641c4b2075fab9820145e95b728c
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "5.25.3" } ] }
Affected versions
Other
release-5-10-0
release-5-11-0
release-5-12-0
release-5-12-1
release-5-12-2
release-5-13-0
release-5-14-0
release-5-15-0
release-5-16-0
release-5-17-0
release-5-17-1
release-5-18-0
release-5-19-0
release-5-20-0
release-5-21-0
release-5-22-0
release-5-23-0
release-5-24-0
release-5-25-0
release-5-25-1
release-5-25-2
release-5-7
release-5-8
release-5-8-1
release-5-8-2
release-5-9-0
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18.10"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "19.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "31"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "32"
}
]
}
]
vanir_signatures
[
{
"signature_version": "v1",
"target": {
"file": "src/http/cervlet.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"192760338526727209623324117128154017375",
"176363103172019343482822146618895062539",
"268951090696583617304681140437510744709",
"59623480104490707459496006942355571950"
]
},
"source": "https://bitbucket.org/tildeslash/monit@328f60773057641c4b2075fab9820145e95b728c",
"signature_type": "Line",
"id": "CVE-2019-11454-0dc3f653",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"function": "do_foot",
"file": "src/http/cervlet.c"
},
"digest": {
"length": 648.0,
"function_hash": "23861697072258711609888231435936520561"
},
"source": "https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9",
"signature_type": "Function",
"id": "CVE-2019-11454-13a9ad76",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"file": "src/monit.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"335804617024891229671540928535154829375",
"310100624601859608845471492265078988370",
"154807492576191686414917484984983555220",
"87379780001120515149930474484174954645"
]
},
"source": "https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9",
"signature_type": "Line",
"id": "CVE-2019-11454-16367172",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"function": "version",
"file": "src/monit.c"
},
"digest": {
"length": 598.0,
"function_hash": "287019773174119488372765190948736526793"
},
"source": "https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9",
"signature_type": "Function",
"id": "CVE-2019-11454-4c95ae77",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"function": "do_about",
"file": "src/http/cervlet.c"
},
"digest": {
"length": 1433.0,
"function_hash": "309952375732884078430535276969002257337"
},
"source": "https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9",
"signature_type": "Function",
"id": "CVE-2019-11454-79ed33e1",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"file": "src/http/cervlet.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"83469158976872561554671678004370611577",
"231063324253302383638823170907697343759",
"266168777303464530820275752220424199435",
"234939084648347694763319377839068928997",
"271084292119558296088722602634243413305",
"72830479874841803587946559619711045487"
]
},
"source": "https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9",
"signature_type": "Line",
"id": "CVE-2019-11454-9093b3ec",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"function": "do_viewlog",
"file": "src/http/cervlet.c"
},
"digest": {
"length": 1120.0,
"function_hash": "316469937887899855624336538781855417458"
},
"source": "https://bitbucket.org/tildeslash/monit@328f60773057641c4b2075fab9820145e95b728c",
"signature_type": "Function",
"id": "CVE-2019-11454-a558f63e",
"deprecated": false
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11454.json"