CVE-2018-12973: OpenTSDB Cross-site Scripting vulnerability
6.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.47285%
CWE
Published
5/14/2022
Updated
2/2/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
net.opentsdb:opentsdb | maven | <= 2.3.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability exists in the /q endpoint's handling of the 'json' parameter. Since XSS occurs when input is reflected without sanitization, the servlet responsible for processing /q requests (likely QueryServlet
) would read the 'json' parameter and include it in HTTP responses. The absence of proper HTML encoding in this output flow matches the described XSS pattern. Though exact code isn't available, the endpoint/parameter combination and CWE-79 classification strongly indicate improper output encoding in the request handler.