HTML Injection Vulnerability in Netdata Web Application
CVE-2019-9834

6.1MEDIUM

Key Information:

Vendor

Netdata

Status
Netdata
Vendor
CVE Published:
15 March 2019

What is CVE-2019-9834?

The Netdata web application, up to version 1.13.0, is susceptible to HTML injection that permits remote attackers to embed malicious HTML code into imported snapshots. This exploitation can lead to the execution of attacker-defined HTML in the user's browser context, posing risks such as credential theft and manipulation of site appearance. Although the vendor asserts that warnings accompany the import function, the potential for exploitation remains a concern.

References

https://www.exploit-db.com/exploits/46545
exploitx_refsource_EXPLOIT-DB
https://www.youtube.com/watch?v=zSG93yX0B8k
x_refsource_MISC
https://github.com/netdata/netdata/issues/5800#issuecomme...
x_refsource_MISC

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.