CVE-2019-10215
published 2019-10-08CVE-2019-10215: Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.53%
71.6th percentile
Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user interaction to execute code in the user's browser.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bootstrap-3-typeahead_project | bootstrap-3-typeahead | — | — |
| github.com | prometheus_prometheus | >= 0 < 0.311.3 | 0.311.3 |
| red_hat | bootstrap3-typeahead.js | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
ghsa·2026-05-05
CVE-2019-10215 [MEDIUM] CWE-79 Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
### Impact
In the Prometheus server's legacy web UI (enabled via the command-line flag `--enable-feature=old-ui`), the histogram heatmap chart view does not escape `le` label values when inserting them into the HTML for use as axis tick mark labels.
An attacker who can inject crafted metrics (e.g. via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. From the XSS context, an attacker could for example:
- Read `/api/v1/status/config` to extract sensitive configuration (although credentials / secrets are redacted by the server)
- Call `/-/quit` to shut
Red Hat
bootstrap3-typeahead.js: Cross-site scripting via highlighter() function
vendor_redhat·2019-10-02·CVSS 6.1
CVE-2019-10215 [MEDIUM] CWE-79 bootstrap3-typeahead.js: Cross-site scripting via highlighter() function
bootstrap3-typeahead.js: Cross-site scripting via highlighter() function
Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user interaction to execute code in the user's browser.
Package: golang-github-prometheus-prometheus (Red Hat OpenShift Container Platform 3.10) - Not affected
Package: golang-github-prometheus-prometheus (Red Hat OpenShift Container Platform 3.11) - Not affected
Package: golang-github-prometheus-prometheus (Red Hat OpenShift Container Platform 3.9) - Not affected
No detection rules found.
No public exploits indexed.
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.htmlhttps://access.redhat.com/errata/RHSA-2019:3771https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10215http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.htmlhttps://access.redhat.com/errata/RHSA-2019:3771https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10215
2019-10-08
Published