CVE-2019-11281

MEDIUM

Pivotal Software Rabbitmq < 3.7.18 - XSS

Title source: rule

Description

Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.

References (5)

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0078

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html

[Vendor Advisory] https://pivotal.io/security/cve-2019-11281

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/

Scores

CVSS v3 4.8

EPSS 0.0101

EPSS Percentile 76.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (7)

pivotal_software/rabbitmq < 3.7.18

pivotal_software/rabbitmq < 1.15.13

redhat/openstack

redhat/openstack_for_ibm_power

debian/debian_linux

fedoraproject/fedora

fedoraproject/fedora

Timeline

Published Oct 16, 2019

Tracked Since Feb 18, 2026