Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-53257

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-03 Dec, 2024 | 15:46
Updated At-03 Dec, 2024 | 16:57
Rejected At-
Credits

Vitess allows HTML injection in /debug/querylogz & /debug/env

Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:03 Dec, 2024 | 15:46
Updated At:03 Dec, 2024 | 16:57
Rejected At:
▼CVE Numbering Authority (CNA)
Vitess allows HTML injection in /debug/querylogz & /debug/env

Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8.

Affected Products
Vendor
vitessio
Product
vitess
Versions
Affected
  • >= 0.21.0-rc1, < 21.0.1
  • >= 0.20.0-rc1, < 20.0.4
  • < 19.0.8
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.14.9MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Version: 3.1
Base score: 4.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/vitessio/vitess/security/advisories/GHSA-7mwh-q3xm-qh6p
x_refsource_CONFIRM
https://github.com/vitessio/vitess/commit/2b71d1b5f8ca676beeab2875525003cd45096217
x_refsource_MISC
Hyperlink: https://github.com/vitessio/vitess/security/advisories/GHSA-7mwh-q3xm-qh6p
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/vitessio/vitess/commit/2b71d1b5f8ca676beeab2875525003cd45096217
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
vitessio
Product
vitess
CPEs
  • cpe:2.3:a:vitessio:vitess:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 19.0.8 (custom)
  • From 19.0.9 before 20.0.4 (custom)
  • From 20.0.5 before 21.0.1 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:03 Dec, 2024 | 16:15
Updated At:03 Dec, 2024 | 16:15

Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.9MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 4.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Secondarysecurity-advisories@github.com
CWE ID: CWE-79
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/vitessio/vitess/commit/2b71d1b5f8ca676beeab2875525003cd45096217security-advisories@github.com
N/A
https://github.com/vitessio/vitess/security/advisories/GHSA-7mwh-q3xm-qh6psecurity-advisories@github.com
N/A
Hyperlink: https://github.com/vitessio/vitess/commit/2b71d1b5f8ca676beeab2875525003cd45096217
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/vitessio/vitess/security/advisories/GHSA-7mwh-q3xm-qh6p
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2024-43442
Matching Score-4
Assigner-OTRS AG
ShareView Details
Matching Score-4
Assigner-OTRS AG
CVSS Score-4.9||MEDIUM
EPSS-0.05% / 16.27%
||
7 Day CHG~0.00%
Published-26 Aug, 2024 | 08:42
Updated-26 Aug, 2024 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in System Configuration

Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in  OTRS (System Configuration modules) and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the System Configuration targeting other admins. This issue affects:  * OTRS from 7.0.X through 7.0.50 * OTRS 8.0.X * OTRS 2023.X * OTRS from 2024.X through 2024.5.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected

Action-Not Available
Vendor-OTRS AG
Product-((OTRS)) Community EditionOTRS
CWE ID-CWE-790
Improper Filtering of Special Elements
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-25107
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.22% / 44.43%
||
7 Day CHG~0.00%
Published-08 Feb, 2024 | 22:46
Updated-17 Jun, 2025 | 21:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting in WikiDiscover

WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the `Language::date` function is used when making the human-readable timestamp for inclusion on the wiki_creation column. This function uses interface messages to translate the names of months and days. It uses the `->text()` output mode, returning unescaped interface messages. Since the output is not escaped later, the unescaped interface message is included on the output, resulting in an XSS vulnerability. Exploiting this on-wiki requires the `(editinterface)` right. This vulnerability has been addressed in commit `267e763a0`. Users are advised to update their installations. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-mirahezemiraheze
Product-wikidiscoverWikiDiscover
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-43709
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.9||MEDIUM
EPSS-0.06% / 19.27%
||
7 Day CHG~0.00%
Published-21 Nov, 2022 | 00:00
Updated-29 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP's Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings.

Action-Not Available
Vendor-n/aMyBB
Product-mybbn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-31988
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-4.9||MEDIUM
EPSS-0.03% / 6.75%
||
7 Day CHG~0.00%
Published-19 Aug, 2025 | 18:12
Updated-21 Aug, 2025 | 18:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Digital Experience is susceptible to cross site scripting (XSS)

HCL Digital Experience is susceptible to cross site scripting (XSS) in an administrative UI with restricted access.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-digital_experienceDigital Experience
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Details not found