{"id":"CVE-2019-11454","details":"Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.","modified":"2026-04-16T00:10:24.037970312Z","published":"2019-04-22T16:29:01.490Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"18.10"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"19.04"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"9.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"31"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"32"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZQDHRSKTEX5MSYXNCGFTUSFGANBARHX/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L475QJMFFI2QV5QEHAKKPVX6QX6ECUL6/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/04/msg00028.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00018.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3971-1/"},{"type":"FIX","url":"https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3"},{"type":"FIX","url":"https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c"},{"type":"EVIDENCE","url":"https://github.com/dzflack/exploits/blob/master/unix/monit_xss.py"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://bitbucket.org/tildeslash/monit","events":[{"introduced":"0"},{"fixed":"e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9"},{"fixed":"1a8295eab6815072a18019b668fe084945b751f3"},{"fixed":"328f60773057641c4b2075fab9820145e95b728c"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"5.25.3"}],"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:mmonit:monit:*:*:*:*:*:*:*:*"}}],"versions":["release-5-11-0","release-5-12-0","release-5-12-1","release-5-12-2","release-5-13-0","release-5-14-0","release-5-15-0","release-5-16-0","release-5-17-0","release-5-17-1","release-5-18-0","release-5-19-0","release-5-20-0","release-5-23-0","release-5-24-0","release-5-25-0","release-5-25-1","release-5-25-2","release-5-7","release-5-8","release-5-8-1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11454.json","vanir_signatures":[{"source":"https://bitbucket.org/tildeslash/monit@328f60773057641c4b2075fab9820145e95b728c","id":"CVE-2019-11454-0dc3f653","target":{"file":"src/http/cervlet.c"},"signature_version":"v1","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["192760338526727209623324117128154017375","176363103172019343482822146618895062539","268951090696583617304681140437510744709","59623480104490707459496006942355571950"],"threshold":0.9}},{"source":"https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9","id":"CVE-2019-11454-13a9ad76","target":{"function":"do_foot","file":"src/http/cervlet.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","digest":{"function_hash":"23861697072258711609888231435936520561","length":648}},{"source":"https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9","id":"CVE-2019-11454-16367172","target":{"file":"src/monit.c"},"signature_version":"v1","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["335804617024891229671540928535154829375","310100624601859608845471492265078988370","154807492576191686414917484984983555220","87379780001120515149930474484174954645"],"threshold":0.9}},{"source":"https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9","id":"CVE-2019-11454-4c95ae77","target":{"function":"version","file":"src/monit.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","digest":{"function_hash":"287019773174119488372765190948736526793","length":598}},{"source":"https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9","id":"CVE-2019-11454-79ed33e1","target":{"function":"do_about","file":"src/http/cervlet.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","digest":{"function_hash":"309952375732884078430535276969002257337","length":1433}},{"source":"https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9","id":"CVE-2019-11454-9093b3ec","signature_type":"Line","signature_version":"v1","deprecated":false,"target":{"file":"src/http/cervlet.c"},"digest":{"line_hashes":["83469158976872561554671678004370611577","231063324253302383638823170907697343759","266168777303464530820275752220424199435","234939084648347694763319377839068928997","271084292119558296088722602634243413305","72830479874841803587946559619711045487"],"threshold":0.9}},{"source":"https://bitbucket.org/tildeslash/monit@328f60773057641c4b2075fab9820145e95b728c","id":"CVE-2019-11454-a558f63e","target":{"function":"do_viewlog","file":"src/http/cervlet.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","digest":{"function_hash":"316469937887899855624336538781855417458","length":1120}}],"vanir_signatures_modified":"2026-04-11T21:43:51Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}