SB2019060534 - Stored cross-site scripting in monit (Alpine package)

Description

This security bulletin contains information about 1 security vulnerability.

1) Stored cross-site scripting (CVE-ID: CVE-2019-11454)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows a remote authenticated attacker to inject arbitrary JavaScript via  user field of the Authorization header for HTTP Basic Authentication and execute it during an "_viewlog" operation.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=165df433b6fd3e30ce578c4f54946a2079aa963c
• https://git.alpinelinux.org/aports/commit/?id=8ae19acb1269f568cc856f52a50234227872b0bd
• https://git.alpinelinux.org/aports/commit/?id=b3c4cba85e047ff7101bb58a0acf2a266f0d3f34