On Tue, 23 Apr 2019 06:53:03 +0200 Salvatore Bonaccorso <car...@debian.org> wrote: > CVE-2019-11454[0]: > | Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash > | Monit before 5.25.3 allows a remote unauthenticated attacker to > | introduce arbitrary JavaScript via manipulation of an unsanitized user > | field of the Authorization header for HTTP Basic Authentication, which > | is mishandled during an _viewlog operation. > > > CVE-2019-11455[1]: > | A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit > | before 5.25.3 allows a remote authenticated attacker to retrieve the > | contents of adjacent memory via manipulation of GET or POST > | parameters. The attacker can also cause a denial of service > | (application outage).
Why severity "grave"? Seems wrong accordingly to the description in https://www.debian.org/Bugs/Developer#severities.
