CVE-2019-11291

CWE-79Cross-site Scripting (XSS)10 documents7 sources
Severity
4.8MEDIUM
EPSS
0.5%
top 34.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Pivotal RabbitmqPivotal Rabbitmq FOR Pivotal PlatformBroadcom Rabbitmq Server+2 more
Timeline
PublishedNov 22
Latest updateMay 24

Description

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages7 packages

CVEListV5pivotal/rabbitmq3.8v3.8.1+1
CVEListV5pivotal/rabbitmq_for_pivotal_platform1.171.17.4+1
NVDvmware/rabbitmq1.16.01.16.7+1
NVDbroadcom/rabbitmq_server3.7.03.7.20+1
Debianrabbitmq-server< 3.8.3-1+3

🔴Vulnerability Details

4
GHSA
Cross-site Scripting in RabbitMQ2022-05-24
OSV
Cross-site Scripting in RabbitMQ2022-05-24
CVEList
RabbitMQ XSS attack via federation and shovel endpoints2019-11-22
OSV
CVE-2019-11291: Pivotal RabbitMQ, 32019-11-22

📋Vendor Advisories

2
Red Hat
rabbitmq-server: not properly sanitized user input may lead to XSS2019-12-13
Debian
CVE-2019-11291: rabbitmq-server - Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1,...2019

💬Community

3
Bugzilla
CVE-2019-11291 rabbitmq-server: not properly sanitized user input may lead to XSS [fedora-all]2019-12-13
Bugzilla
CVE-2019-11291 rabbitmq-server: not properly sanitized user input may lead to XSS2019-12-13
Bugzilla
CVE-2019-11291 rabbitmq-server: not properly sanitized user input may lead to XSS [openstack-rdo]2019-12-13
CVE-2019-11291 (MEDIUM CVSS 4.8) | Pivotal RabbitMQ | cvebase.io