CVE-2019-9834

Published: Mar 15, 2019Modified: Nov 21, 2024

6.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal authentication credentials or to control how the site is rendered to the user. NOTE: the vendor disputes the risk because there is a clear warning next to the button for importing a snapshot

Affected (1)

Products: Netdata: Netdata

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Netdata Netdata	Up to 1.13.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

https://github.com/netdata/netdata/issues/5800#issuecomment-510986112

Source: cve@mitre.org

Third Party Advisory

https://www.exploit-db.com/exploits/46545

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://www.youtube.com/watch?v=zSG93yX0B8k

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/netdata/netdata/issues/5800#issuecomment-510986112

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.exploit-db.com/exploits/46545

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://www.youtube.com/watch?v=zSG93yX0B8k

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.