{"id":"CVE-2019-11454","details":"Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.","modified":"2026-04-16T04:44:23.622859559Z","published":"2019-04-22T16:29:01.490Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZQDHRSKTEX5MSYXNCGFTUSFGANBARHX/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L475QJMFFI2QV5QEHAKKPVX6QX6ECUL6/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3971-1/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/04/msg00028.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00018.html"},{"type":"FIX","url":"https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3"},{"type":"FIX","url":"https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c"},{"type":"EVIDENCE","url":"https://github.com/dzflack/exploits/blob/master/unix/monit_xss.py"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://bitbucket.org/tildeslash/monit","events":[{"introduced":"0"},{"fixed":"e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9"},{"fixed":"1a8295eab6815072a18019b668fe084945b751f3"},{"fixed":"328f60773057641c4b2075fab9820145e95b728c"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.25.3"}]}}],"versions":["release-5-11-0","release-5-12-0","release-5-12-1","release-5-12-2","release-5-13-0","release-5-14-0","release-5-15-0","release-5-16-0","release-5-17-0","release-5-17-1","release-5-18-0","release-5-19-0","release-5-20-0","release-5-23-0","release-5-24-0","release-5-25-0","release-5-25-1","release-5-25-2","release-5-7","release-5-8","release-5-8-1"],"database_specific":{"vanir_signatures_modified":"2026-04-11T08:55:45Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11454.json","vanir_signatures":[{"deprecated":false,"source":"https://bitbucket.org/tildeslash/monit@328f60773057641c4b2075fab9820145e95b728c","target":{"file":"src/http/cervlet.c"},"id":"CVE-2019-11454-0dc3f653","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["192760338526727209623324117128154017375","176363103172019343482822146618895062539","268951090696583617304681140437510744709","59623480104490707459496006942355571950"]},"signature_type":"Line"},{"deprecated":false,"source":"https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9","target":{"file":"src/monit.c"},"id":"CVE-2019-11454-16367172","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["335804617024891229671540928535154829375","310100624601859608845471492265078988370","154807492576191686414917484984983555220","87379780001120515149930474484174954645"]},"signature_type":"Line"},{"deprecated":false,"source":"https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9","target":{"function":"version","file":"src/monit.c"},"id":"CVE-2019-11454-4c95ae77","signature_version":"v1","digest":{"length":598,"function_hash":"287019773174119488372765190948736526793"},"signature_type":"Function"},{"deprecated":false,"source":"https://bitbucket.org/tildeslash/monit@328f60773057641c4b2075fab9820145e95b728c","target":{"function":"do_viewlog","file":"src/http/cervlet.c"},"id":"CVE-2019-11454-a558f63e","signature_version":"v1","digest":{"length":1120,"function_hash":"316469937887899855624336538781855417458"},"signature_type":"Function"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"18.10"}]},{"events":[{"introduced":"0"},{"last_affected":"19.04"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"32"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}