PublicDateAtUSN: 2019-04-22
Candidate: CVE-2019-11454
PublicDate: 2019-04-22 16:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11454
 https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
 https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c
 https://github.com/dzflack/exploits/blob/master/unix/monit_xss.py
 https://ubuntu.com/security/notices/USN-3971-1
Description:
 Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit
 before 5.25.3 allows a remote unauthenticated attacker to introduce
 arbitrary JavaScript via manipulation of an unsanitized user field of the
 Authorization header for HTTP Basic Authentication, which is mishandled
 during an _viewlog operation.
Ubuntu-Description:
 Zack Flack discovered that Monit incorrectly handled certain input. A remote
 authenticated user could exploit this to conduct cross-site scripting (XSS)
 attacks.
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927775
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]


Patches_monit:
upstream_monit: needed
precise/esm_monit: DNE
trusty_monit: ignored (out of standard support)
trusty/esm_monit: needed
xenial_monit: ignored (end of standard support, was needed)
bionic_monit: needed
cosmic_monit: released (1:5.25.2-1ubuntu0.1)
disco_monit: released (1:5.25.2-3ubuntu0.1)
eoan_monit: ignored (reached end-of-life)
focal_monit: not-affected (1:5.25.3-1)
groovy_monit: not-affected (1:5.25.3-1)
hirsute_monit: not-affected (1:5.25.3-1)
impish_monit: not-affected (1:5.25.3-1)
jammy_monit: not-affected (1:5.25.3-1)
devel_monit: not-affected (1:5.25.3-1)