Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-53257
Summary
Vitess is a database clustering system for horizontal scaling of MySQL. The `/debug/querylogz` and `/debug/env` pages for `vtgate` and `vttablet` do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using `text/template` instead of rendering with a proper HTML templating engine. This issue affects vitess.io/vitess versions through 0.19.7, 0.20.0-rc1 through 0.20.3, 0.21.0-rc1 through 0.21.0, 2.0.0-alpha1 through 19.0.7, 20.0.0-rc1 through 20.0.3, and 21.0.0-rc1 through 21.0.0.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- HIGH
- NONE
- NONE
CWE-79 - Cross Site Scripting
Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.
References
Advisory Timeline
- Published
