| Vulnerability Name: | CVE-2019-3826 (CCN-159534) | ||||||||||||||||||||||||||||||||
| Assigned: | 2019-02-18 | ||||||||||||||||||||||||||||||||
| Published: | 2019-02-18 | ||||||||||||||||||||||||||||||||
| Updated: | 2021-03-31 | ||||||||||||||||||||||||||||||||
| Summary: | A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts. | ||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) 5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
| ||||||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-79 CWE-79 | ||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Cross-Site Scripting | ||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2019-3826 Source: REDHAT Type: Third Party Advisory RHBA-2019:0327 Source: MISC Type: UNKNOWN https://advisory.checkmarx.net/advisory/CX-2019-4297 Source: CCN Type: Red Hat Bugzilla Bug 1672865 (CVE-2019-3826) - CVE-2019-3826 prometheus: Stored DOM cross-site scripting (XSS) attack via crafted URL Source: CONFIRM Type: Issue Tracking, Patch, Third Party Advisory https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3826 Source: XF Type: UNKNOWN prometheus-cve20193826-xss(159534) Source: CONFIRM Type: Patch, Third Party Advisory https://github.com/prometheus/prometheus/commit/62e591f9 Source: CCN Type: prometheus GIT Repository CVE-2019-3826: Remove custom highlight code, it's not needed. #5163 Source: CONFIRM Type: Patch, Third Party Advisory https://github.com/prometheus/prometheus/pull/5163 Source: MLIST Type: UNKNOWN [zookeeper-commits] 20200118 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer Source: MLIST Type: UNKNOWN [zookeeper-commits] 20200118 [zookeeper] branch master updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer Source: MLIST Type: UNKNOWN [zookeeper-commits] 20200118 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer Source: CCN Type: WhiteSource Vulnerability Database CVE-2019-3826 | ||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||