{"id":"CVE-2019-11281","details":"Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.","modified":"2026-03-20T11:04:36.289247Z","published":"2019-10-16T16:15:10.340Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"},{"type":"ADVISORY","url":"https://pivotal.io/security/cve-2019-11281"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0078"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rabbitmq/rabbitmq-server","events":[{"introduced":"0"},{"fixed":"ff44adbaf01276f2abea7d59da22ea518b6a1abe"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.7.18"}]}}],"versions":["6547461e6c2e","Aman-06-09-08","Aman-06-09-08_2","rabbitmq_v1_4_0","rabbitmq_v1_5_0","rabbitmq_v1_5_1","rabbitmq_v1_5_2","rabbitmq_v1_5_3","rabbitmq_v1_5_4","rabbitmq_v1_5_5","rabbitmq_v1_6_0","rabbitmq_v1_7_0","rabbitmq_v1_7_1","rabbitmq_v1_7_2","rabbitmq_v1_8_0","rabbitmq_v1_8_1","rabbitmq_v2.6.0","rabbitmq_v2_0_0","rabbitmq_v2_1_0","rabbitmq_v2_1_1","rabbitmq_v2_2_0","rabbitmq_v2_3_0","rabbitmq_v2_3_1","rabbitmq_v2_4_0","rabbitmq_v2_4_1","rabbitmq_v2_5_0","rabbitmq_v2_5_1","rabbitmq_v2_6_0","rabbitmq_v2_6_1","rabbitmq_v2_7_0","rabbitmq_v2_7_1","rabbitmq_v2_8_0","rabbitmq_v2_8_1","rabbitmq_v2_8_2","rabbitmq_v3_0_0","rabbitmq_v3_0_1","rabbitmq_v3_0_2","rabbitmq_v3_0_3","rabbitmq_v3_0_4","rabbitmq_v3_1_0","rabbitmq_v3_1_1","rabbitmq_v3_1_2","rabbitmq_v3_1_3","rabbitmq_v3_1_4","rabbitmq_v3_1_5","rabbitmq_v3_2_0","rabbitmq_v3_2_1","rabbitmq_v3_2_2","rabbitmq_v3_2_3","rabbitmq_v3_2_4","rabbitmq_v3_3_0","rabbitmq_v3_3_1","rabbitmq_v3_3_2","rabbitmq_v3_3_3","rabbitmq_v3_3_4","rabbitmq_v3_3_5","rabbitmq_v3_4_0","rabbitmq_v3_4_1","rabbitmq_v3_4_2","rabbitmq_v3_4_3","rabbitmq_v3_4_4","rabbitmq_v3_5_0","rabbitmq_v3_5_1","rabbitmq_v3_5_2","rabbitmq_v3_5_3","rabbitmq_v3_5_4","rabbitmq_v3_5_4_rc1","rabbitmq_v3_5_4_rc2","rabbitmq_v3_5_5","rabbitmq_v3_5_5_rc1","rabbitmq_v3_5_5_rc2","rabbitmq_v3_5_6","rabbitmq_v3_5_7","rabbitmq_v3_5_7_rc1","rabbitmq_v3_5_7_rc2","rabbitmq_v3_6_0","rabbitmq_v3_6_0_milestone1","rabbitmq_v3_6_0_milestone2","rabbitmq_v3_6_0_milestone3","rabbitmq_v3_6_0_rc1","rabbitmq_v3_6_0_rc2","rabbitmq_v3_6_0_rc3","rabbitmq_v3_6_1","rabbitmq_v3_6_10","rabbitmq_v3_6_10_milestone1","rabbitmq_v3_6_10_milestone2","rabbitmq_v3_6_10_milestone3","rabbitmq_v3_6_10_milestone4","rabbitmq_v3_6_10_rc1","rabbitmq_v3_6_10_rc2","rabbitmq_v3_6_11","rabbitmq_v3_6_11_milestone1","rabbitmq_v3_6_11_milestone2","rabbitmq_v3_6_11_milestone3","rabbitmq_v3_6_11_milestone4","rabbitmq_v3_6_11_milestone5","rabbitmq_v3_6_11_rc1","rabbitmq_v3_6_11_rc2","rabbitmq_v3_6_11_rc3","rabbitmq_v3_6_12","rabbitmq_v3_6_12_rc1","rabbitmq_v3_6_12_rc2","rabbitmq_v3_6_12_rc3","rabbitmq_v3_6_13","rabbitmq_v3_6_13_milestone1","rabbitmq_v3_6_13_rc1","rabbitmq_v3_6_13_rc2","rabbitmq_v3_6_14","rabbitmq_v3_6_1_rc1","rabbitmq_v3_6_1_rc2","rabbitmq_v3_6_2","rabbitmq_v3_6_2_milestone1","rabbitmq_v3_6_2_milestone2","rabbitmq_v3_6_2_milestone3","rabbitmq_v3_6_2_milestone4","rabbitmq_v3_6_2_milestone5","rabbitmq_v3_6_2_rc1","rabbitmq_v3_6_2_rc2","rabbitmq_v3_6_2_rc3","rabbitmq_v3_6_2_rc4","rabbitmq_v3_6_3","rabbitmq_v3_6_3_milestone1","rabbitmq_v3_6_3_milestone2","rabbitmq_v3_6_3_rc1","rabbitmq_v3_6_3_rc2","rabbitmq_v3_6_3_rc3","rabbitmq_v3_6_4","rabbitmq_v3_6_4_milestone1","rabbitmq_v3_6_4_milestone2","rabbitmq_v3_6_4_rc1","rabbitmq_v3_6_5","rabbitmq_v3_6_5_milestone1","rabbitmq_v3_6_5_milestone2","rabbitmq_v3_6_6","rabbitmq_v3_6_6_milestone1","rabbitmq_v3_6_6_milestone2","rabbitmq_v3_6_6_milestone3","rabbitmq_v3_6_6_milestone4","rabbitmq_v3_6_6_milestone5","rabbitmq_v3_6_6_rc1","rabbitmq_v3_6_6_rc2","rabbitmq_v3_6_7","rabbitmq_v3_6_7_milestone1","rabbitmq_v3_6_7_milestone2","rabbitmq_v3_6_7_milestone3","rabbitmq_v3_6_7_milestone4","rabbitmq_v3_6_7_milestone5","rabbitmq_v3_6_7_milestone6","rabbitmq_v3_6_7_rc1","rabbitmq_v3_6_7_rc2","rabbitmq_v3_6_7_rc3","rabbitmq_v3_6_8","rabbitmq_v3_6_9","rabbitmq_v3_7_0_milestone1","rabbitmq_v3_7_0_milestone10","rabbitmq_v3_7_0_milestone11","rabbitmq_v3_7_0_milestone12","rabbitmq_v3_7_0_milestone13","rabbitmq_v3_7_0_milestone14","rabbitmq_v3_7_0_milestone15","rabbitmq_v3_7_0_milestone16","rabbitmq_v3_7_0_milestone17","rabbitmq_v3_7_0_milestone18","rabbitmq_v3_7_0_milestone2","rabbitmq_v3_7_0_milestone3","rabbitmq_v3_7_0_milestone4","rabbitmq_v3_7_0_milestone5","rabbitmq_v3_7_0_milestone6","rabbitmq_v3_7_0_milestone7","rabbitmq_v3_7_0_milestone8","rabbitmq_v3_7_0_milestone9","v3.7.0","v3.7.0-beta.19","v3.7.0-beta.20","v3.7.0-rc.1","v3.7.0-rc.2","v3.7.1","v3.7.1-beta.1","v3.7.10","v3.7.10-rc.1","v3.7.10-rc.2","v3.7.10-rc.3","v3.7.10-rc.4","v3.7.11","v3.7.11-rc.1","v3.7.11-rc.2","v3.7.12","v3.7.12-rc.1","v3.7.12-rc.2","v3.7.13","v3.7.13-beta.1","v3.7.13-rc.1","v3.7.13-rc.2","v3.7.14","v3.7.14-rc.1","v3.7.14-rc.2","v3.7.15","v3.7.15-beta.1","v3.7.16","v3.7.16-beta.1","v3.7.16-rc.3","v3.7.16-rc.4","v3.7.17","v3.7.17-beta.1","v3.7.17-rc.1","v3.7.17-rc.2","v3.7.17-rc.3","v3.7.18-beta.1","v3.7.18-rc.1","v3.7.2","v3.7.3","v3.7.3-rc.1","v3.7.3-rc.2","v3.7.4","v3.7.4-rc.1","v3.7.4-rc.2","v3.7.4-rc.3","v3.7.4-rc.4","v3.7.5","v3.7.5-beta.1","v3.7.5-beta.2","v3.7.5-beta.3","v3.7.5-rc.1","v3.7.6","v3.7.6-rc.1","v3.7.6-rc.2","v3.7.7","v3.7.7-beta.1","v3.7.7-beta.2","v3.7.7-rc.1","v3.7.7-rc.2","v3.7.8","v3.7.8-rc.1","v3.7.8-rc.2","v3.7.8-rc.3","v3.7.8-rc.4","v3.7.9","v3.7.9-rc.1","v3.7.9-rc.2","v3.7.9-rc.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11281.json","unresolved_ranges":[{"events":[{"introduced":"1.15.0"},{"fixed":"1.15.13"}]},{"events":[{"introduced":"1.16.0"},{"fixed":"1.16.6"}]},{"events":[{"introduced":"1.17.0"},{"fixed":"1.17.3"}]},{"events":[{"introduced":"0"},{"last_affected":"15"}]},{"events":[{"introduced":"0"},{"last_affected":"15"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"30"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}