mailing list archives
CVE request: monitorix: HTTP server 'handle_request()' session fixation & XSS vulnerabilities
From: Ratul Gupta <ratulg () redhat com>
Date: Mon, 09 Dec 2013 15:23:29 +0530
Monitorix, an open source system monitoring tool, was found to be
vulnerable to two XSS vulnerabilities, which could allow attackers to
execute arbitrary script code in a user's browser in the context of the
Web server process, access sensitive data, or hijack a user's session.
The issue is that the built-in HTTP server failed to adequately sanitize
attacker may be able to inject arbitrary cookies. The same issue could
also cause arbitrary HTML and script code to be executed in a user's
browser within the security context of the affected site. Input passed
via requests to the "handle_request()" function (lib/HTTPServer.pm) is
not properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.
Can a CVE be assigned to this issue?
Ratul Gupta / Red Hat Security Response Team
- CVE request: monitorix: HTTP server 'handle_request()' session fixation & XSS vulnerabilities Ratul Gupta (Dec 09)