{"id":"CVE-2019-10779","details":"All versions of stroom:stroom-app before 5.5.12 and all versions of the 6.0.0 branch before 6.0.25 are affected by Cross-site Scripting. An attacker website is able to load the Stroom UI into a hidden iframe. Using that iframe, the attacker site can issue commands to the Stroom UI via an XSS vulnerability to take full control of the Stroom UI on behalf of the logged-in user.","modified":"2026-04-11T18:24:43.187570Z","published":"2020-01-28T01:15:10.817Z","related":["SNYK-JAVA-STROOM-541182"],"references":[{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-STROOM-541182"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gchq/stroom","events":[{"introduced":"0"},{"fixed":"5f597506f06e69f9c3ae4af462bd3c12e2754149"},{"fixed":"bf1438ecabe150136ecd7229d16f2d73779980db"}],"database_specific":{"cpe":"cpe:2.3:a:gchq:stroom:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"5.5.12"},{"introduced":"6.0"},{"fixed":"6.0.25"}],"source":"CPE_FIELD"}}],"versions":["dev-20171011-DAILY","dev-20171012-DAILY","dev-20171013-DAILY","dev-20171014-DAILY","dev-20171015-DAILY","dev-20171027-DAILY","dev-20171028-DAILY","dev-20171029-DAILY","dev-20171030-DAILY","dev-20171031-DAILY","dev-20171101-DAILY","dev-20171102-DAILY","dev-20171103-DAILY","dev-20171104-DAILY","dev-20171105-DAILY","dev-20171106-DAILY","dev-20171107-DAILY","dev-20171108-DAILY","dev-20171109-DAILY","dev-20171110-DAILY","dev-20171111-DAILY","dev-20171112-DAILY","dev-20171113-DAILY","dev-20171114-DAILY","dev-20171115-DAILY","dev-20171116-DAILY","dev-20171117-DAILY","dev-20171118-DAILY","dev-20171119-DAILY","dev-20171120-DAILY","dev-20171121-DAILY","dev-20171122-DAILY","dev-20171123-DAILY","dev-20171124-DAILY","dev-20171125-DAILY","dev-20171126-DAILY","dev-20171127-DAILY","dev-20171128-DAILY","dev-20171129-DAILY","dev-20171130-DAILY","dev-20171201-DAILY","dev-20171202-DAILY","dev-20171204-DAILY","dev-20171205-DAILY","dev-20171207-DAILY","dev-20171208-DAILY","dev-20171212-DAILY","dev-20171213-DAILY","dev-20171214-DAILY","dev-20171215-DAILY","dev-20171216-DAILY","dev-20171217-DAILY","dev-20171218-DAILY","dev-20171219-DAILY","dev-20171220-DAILY","dev-20171221-DAILY","dev-20171222-DAILY","dev-20171223-DAILY","dev-20171224-DAILY","dev-20171225-DAILY","dev-20171226-DAILY","dev-20171227-DAILY","dev-20171228-DAILY","dev-20171229-DAILY","dev-20171230-DAILY","dev-20171231-DAILY","dev-20180101-DAILY","dev-20180102-DAILY","dev-20180103-DAILY","dev-20180104-DAILY","dev-20180105-DAILY","dev-20180106-DAILY","dev-20180107-DAILY","dev-20180108-DAILY","dev-20180109-DAILY","dev-20180110-DAILY","dev-20180111-DAILY","dev-20180112-DAILY","dev-20180113-DAILY","dev-20180114-DAILY","dev-20180115-DAILY","dev-20180116-DAILY","dev-20180117-DAILY","dev-20180118-DAILY","dev-20180119-DAILY","dev-20180120-DAILY","dev-20180121-DAILY","dev-20180122-DAILY","dev-20180123-DAILY","dev-20180124-DAILY","dev-20180125-DAILY","dev-20180126-DAILY","dev-20180127-DAILY","dev-20180128-DAILY","dev-20180129-DAILY","dev-20180130-DAILY","dev-20180131-DAILY","dev-20180201-DAILY","dev-20180202-DAILY","dev-20180203-DAILY","dev-20180204-DAILY","dev-20180205-DAILY","master-20171124-DAILY","master-20171125-DAILY","master-20171126-DAILY","master-20171127-DAILY","master-20171128-DAILY","master-20171213-DAILY","master-20171214-DAILY","master-20171215-DAILY","master-20171216-DAILY","master-20171217-DAILY","master-20171218-DAILY","master-20171219-DAILY","master-20171220-DAILY","master-20171221-DAILY","master-20171222-DAILY","master-20171223-DAILY","master-20171224-DAILY","master-20171225-DAILY","master-20171226-DAILY","master-20171227-DAILY","master-20171228-DAILY","master-20171229-DAILY","master-20171230-DAILY","master-20171231-DAILY","master-20180101-DAILY","master-20180102-DAILY","master-20180103-DAILY","master-20180104-DAILY","master-20180105-DAILY","master-20180106-DAILY","master-20180107-DAILY","master-20180108-DAILY","master-20180109-DAILY","master-20180110-DAILY","master-20180111-DAILY","master-20180112-DAILY","master-20180113-DAILY","master-20180114-DAILY","master-20180115-DAILY","master-20180116-DAILY","master-20180117-DAILY","master-20180118-DAILY","master-20180119-DAILY","master-20180120-DAILY","master-20180121-DAILY","master-20180122-DAILY","master-20180123-DAILY","master-20180124-DAILY","master-20180125-DAILY","master-20180126-DAILY","master-20180127-DAILY","master-20180128-DAILY","master-20180129-DAILY","master-20180130-DAILY","master-20180131-DAILY","master-20180201-DAILY","master-20180202-DAILY","master-20180203-DAILY","master-20180204-DAILY","master-20180205-DAILY","master-20180206-DAILY","master-20180207-DAILY","master-20180208-DAILY","master-20180209-DAILY","master-20180210-DAILY","master-20180211-DAILY","master-20180212-DAILY","master-20180213-DAILY","master-20180214-DAILY","master-20180215-DAILY","master-20180216-DAILY","master-20180217-DAILY","master-20180218-DAILY","master-20180219-DAILY","master-20180220-DAILY","v5.0-beta.10","v5.0-beta.11","v5.0-beta.12","v5.0-beta.13","v5.0-beta.14","v5.0-beta.17","v5.0-beta.18","v5.0-beta.19","v5.0-beta.20","v5.0-beta.21","v5.0-beta.22","v5.0-beta.23","v5.0-beta.24","v5.0-beta.4","v5.0-beta.7","v5.0-beta.8","v5.0-beta.9","v5.1-alpha.1","v5.1-beta.1","v5.1-beta.10","v5.1-beta.11","v5.1-beta.12","v5.1-beta.13","v5.1-beta.14","v5.1-beta.15","v5.1-beta.16","v5.1-beta.2","v5.1-beta.3","v5.1-beta.4","v5.1-beta.5","v5.1-beta.6","v5.1-beta.7","v5.1-beta.8","v5.1-beta.9","v5.1.0","v5.2.1","v5.2.2","v5.2.3","v5.2.4","v5.3.0","v5.3.0-beta.1","v5.3.0-beta.2","v5.3.0-beta.3","v5.3.0-beta.4","v5.3.1","v5.3.2","v5.3.3","v5.3.4","v5.4.0","v5.4.1","v5.4.2","v5.4.3","v5.4.4","v5.4.5","v5.4.6","v5.5.0","v5.5.0-beta.1","v5.5.0-beta.10","v5.5.0-beta.2","v5.5.0-beta.3","v5.5.0-beta.4","v5.5.0-beta.5","v5.5.0-beta.6","v5.5.0-beta.7","v5.5.0-beta.8","v5.5.0-beta.9","v5.5.1","v5.5.10","v5.5.11","v5.5.2","v5.5.3","v5.5.4","v5.5.5","v5.5.6","v5.5.7","v5.5.8","v5.5.9","v6.0-alpha.11","v6.0-alpha.12","v6.0-alpha.14","v6.0-alpha.15","v6.0-alpha.16","v6.0-alpha.17","v6.0-alpha.18","v6.0-alpha.20","v6.0-alpha.22","v6.0-alpha.23","v6.0-alpha.25","v6.0-alpha.26","v6.0-alpha.27","v6.0-alpha.4","v6.0-alpha.7","v6.0-alpha.9","v6.0-beta.1","v6.0-beta.12","v6.0-beta.13","v6.0-beta.19","v6.0-beta.2","v6.0-beta.20","v6.0-beta.21","v6.0-beta.22","v6.0-beta.25","v6.0-beta.26","v6.0-beta.27","v6.0-beta.28","v6.0-beta.29","v6.0-beta.3","v6.0-beta.30","v6.0-beta.31","v6.0-beta.32","v6.0-beta.33","v6.0-beta.34","v6.0-beta.35","v6.0-beta.36","v6.0-beta.37","v6.0-beta.38","v6.0-beta.39","v6.0-beta.4","v6.0-beta.40","v6.0-beta.41","v6.0-beta.42","v6.0-beta.43","v6.0-beta.44","v6.0-beta.45","v6.0-beta.46","v6.0-beta.47","v6.0-beta.48","v6.0-beta.49","v6.0-beta.5","v6.0-beta.50","v6.0-beta.51","v6.0-beta.52","v6.0-beta.53","v6.0-beta.54","v6.0-beta.55","v6.0-beta.56","v6.0-beta.57","v6.0-beta.58","v6.0-beta.59","v6.0-beta.6","v6.0-beta.60","v6.0-beta.61","v6.0-beta.62","v6.0-beta.63","v6.0-beta.65","v6.0-beta.66","v6.0-beta.67","v6.0-beta.68","v6.0-beta.69","v6.0-beta.7","v6.0-beta.70","v6.0-beta.8","v6.0.1","v6.0.11","v6.0.12","v6.0.13","v6.0.14","v6.0.15","v6.0.16","v6.0.18","v6.0.2","v6.0.21","v6.0.22","v6.0.23","v6.0.24","v6.0.3","v6.0.4","v6.0.5","v6.0.6","v6.0.7","v6.0.8","v6.0.9"],"database_specific":{"vanir_signatures_modified":"2026-04-11T18:24:43Z","vanir_signatures":[{"digest":{"line_hashes":["188339521519578504928507123183127585484","174144265290802474956701533375638770739","84903814959401745501632731220625359226","167038065341747132606591914710087847931"],"threshold":0.9},"signature_type":"Line","id":"CVE-2019-10779-1a64e368","source":"https://github.com/gchq/stroom/commit/5f597506f06e69f9c3ae4af462bd3c12e2754149","signature_version":"v1","target":{"file":"stroom-core-client/src/main/java/stroom/servlet/RemoteServiceHandlerAdapter.java"},"deprecated":false},{"digest":{"line_hashes":["246589527592532934474192819987916277530","338302345658953961266480767474967235454","71537575448082094360201038030605951361","290604301901577296107484848953225157108","125605624321065562483313654483003640854","284526583100640776713609564298928671054"],"threshold":0.9},"signature_type":"Line","id":"CVE-2019-10779-7f016ea3","source":"https://github.com/gchq/stroom/commit/5f597506f06e69f9c3ae4af462bd3c12e2754149","signature_version":"v1","target":{"file":"stroom-core-client/src/main/java/stroom/dispatch/client/ClientDispatchAsyncImpl.java"},"deprecated":false},{"digest":{"length":366,"function_hash":"286581652912430740229437485104387967829"},"signature_type":"Function","id":"CVE-2019-10779-a48233ea","source":"https://github.com/gchq/stroom/commit/5f597506f06e69f9c3ae4af462bd3c12e2754149","signature_version":"v1","target":{"function":"ClientDispatchAsyncImpl","file":"stroom-core-client/src/main/java/stroom/dispatch/client/ClientDispatchAsyncImpl.java"},"deprecated":false}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10779.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}