CVE-2019-9834 - Vulnerability Details - OpenCVE

The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal authentication credentials or to control how the site is rendered to the user. NOTE: the vendor disputes the risk because there is a clear warning next to the button for importing a snapshot

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.08272.

Key SSVC decision points have not yet been added.

Vendors	Products
Netdata Subscribe	Netdata Subscribe

Configuration 1 [-]

cpe:2.3:a:netdata:netdata:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/netdata/netdata/issues/5800#issuecomment-510986112
https://www.exploit-db.com/exploits/46545
https://www.youtube.com/watch?v=zSG93yX0B8k

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-03-15T17:00:00

Updated: 2024-08-04T22:01:54.993Z

Reserved: 2019-03-15T00:00:00

Link: CVE-2019-9834

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-03-15T17:29:00.383

Modified: 2024-11-21T04:52:24.063

Link: CVE-2019-9834

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-03-15T00:00:00", "descriptions": [{"lang": "en", "value": "The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal authentication credentials or to control how the site is rendered to the user. NOTE: the vendor disputes the risk because there is a clear warning next to the button for importing a snapshot"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-14T02:25:17", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "46545", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/46545"}, {"tags": ["x_refsource_MISC"], "url": "https://www.youtube.com/watch?v=zSG93yX0B8k"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/netdata/netdata/issues/5800#issuecomment-510986112"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-9834", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal authentication credentials or to control how the site is rendered to the user. NOTE: the vendor disputes the risk because there is a clear warning next to the button for importing a snapshot."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "46545", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/46545"}, {"name": "https://www.youtube.com/watch?v=zSG93yX0B8k", "refsource": "MISC", "url": "https://www.youtube.com/watch?v=zSG93yX0B8k"}, {"name": "https://github.com/netdata/netdata/issues/5800#issuecomment-510986112", "refsource": "MISC", "url": "https://github.com/netdata/netdata/issues/5800#issuecomment-510986112"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:01:54.993Z"}, "title": "CVE Program Container", "references": [{"name": "46545", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/46545"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.youtube.com/watch?v=zSG93yX0B8k"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/netdata/netdata/issues/5800#issuecomment-510986112"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-9834", "datePublished": "2019-03-15T17:00:00", "dateReserved": "2019-03-15T00:00:00", "dateUpdated": "2024-08-04T22:01:54.993Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netdata:netdata:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC637690-4B20-4183-9C15-ECEC65272965", "versionEndIncluding": "1.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal authentication credentials or to control how the site is rendered to the user. NOTE: the vendor disputes the risk because there is a clear warning next to the button for importing a snapshot"}, {"lang": "es", "value": "** EN DISPUTA ** La aplicaci\u00f3n web Netdata, hasta la versi\u00f3n 1.13.0, permite que los atacantes remotos inyecten su propio c\u00f3digo HTML en una instant\u00e1nea importada. Esto tambi\u00e9n se conoce como inyecci\u00f3n HTML. Su explotaci\u00f3n con \u00e9xito permite que se ejecute HTML proporcionado por el atacante en el contexto del navegador afectado, pudiendo permitir al atacante robar las credenciales de autenticaci\u00f3n o controlar c\u00f3mo se renderiza el sitio al usuario. NOTA: el proveedor no est\u00e1 de acuerdo con el riesgo porque hay una advertencia clara junto al bot\u00f3n al importar una instant\u00e1nea."}], "id": "CVE-2019-9834", "lastModified": "2024-11-21T04:52:24.063", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-03-15T17:29:00.383", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/netdata/netdata/issues/5800#issuecomment-510986112"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46545"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.youtube.com/watch?v=zSG93yX0B8k"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/netdata/netdata/issues/5800#issuecomment-510986112"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46545"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.youtube.com/watch?v=zSG93yX0B8k"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}