CVE-2019-11281
MEDIUMRabbitMQ < 3.7.18 and 1.15.0-1.15.13 - Authenticated Stored XSS in Virtual Host Limits and Federation Management UI
Title source: llmDescription
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2019-11281
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0078
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html
Scores
CVSS v3
4.8
EPSS
0.0101
EPSS Percentile
77.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (7)
debian/debian_linux
9.0
fedoraproject/fedora
30
fedoraproject/fedora
31
pivotal_software/rabbitmq
< 3.7.18
pivotal_software/rabbitmq
1.15.0 - 1.15.13
redhat/openstack
15
redhat/openstack_for_ibm_power
15
Published
Oct 16, 2019
Tracked Since
Feb 18, 2026