CVE-2019-3826Cross-site Scripting in Prometheus Prometheus

CWE-79Cross-site Scripting10 documents7 sources
Severity
6.1MEDIUMNVD
EPSS
1.5%
top 19.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
PrometheusGithub.com Prometheus PrometheusRedhat Openshift Container Platform
Timeline
PublishedMar 26
Latest updateDec 13

Description

A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

Debianprometheus/prometheus< 2.7.1+ds-1+3

Also affects: Openshift Container Platform 3.11

Patches

Patch: bugzilla.redhat.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
Withdrawn Advisory: Prometheus XSS Vulnerability2023-12-13
OSV
Withdrawn Advisory: Prometheus XSS Vulnerability2023-12-13
CVEList
CVE-2019-3826: A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 22019-03-26
OSV
CVE-2019-3826: A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 22019-03-26

📋Vendor Advisories

2
Red Hat
prometheus: Stored DOM cross-site scripting (XSS) attack via crafted URL2019-01-31
Debian
CVE-2019-3826: prometheus - A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus bef...2019

💬Community

3
Bugzilla
CVE-2019-3826 golang-github-prometheus-prometheus: prometheus: Stored DOM cross-site scripting (XSS) attack via crafted URL [epel-6]2019-02-06
Bugzilla
CVE-2019-3826 golang-github-prometheus-prometheus: prometheus: Stored DOM cross-site scripting (XSS) attack via crafted URL [fedora-all]2019-02-06
Bugzilla
CVE-2019-3826 prometheus: Stored DOM cross-site scripting (XSS) attack via crafted URL2019-02-06
CVE-2019-3826 — Cross-site Scripting | cvebase