Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation. Reference: https://github.com/dzflack/exploits/blob/master/unix/monit_xss.py Upstream commit: https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
Created monit tracking bugs for this issue: Affects: fedora-all [bug 1702683]
Created monit tracking bugs for this issue: Affects: epel-all [bug 1702684]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.