3.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-11291

GHSA ID

GHSA-9pf7-f47q-mwpq

EPSS Score

0.65741%

CWE

CWE-79

Published

5/24/2022

Updated

1/27/2023

KEV Status

Technology

Erlang

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-11291

CVE-2019-11291: Cross-site Scripting in RabbitMQ

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

(GitHub Advisory)

3.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-11291

GHSA ID

GHSA-9pf7-f47q-mwpq

EPSS Score

0.65741%

CWE

CWE-79

Published

5/24/2022

Updated

1/27/2023

KEV Status

Technology

Erlang

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rabbit_common	erlang	>= 3.7.0, < 3.7.20	3.7.20
rabbit_common	erlang	>= 3.8.0, < 3.8.1	3.8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly affects federation and shovel endpoints that process vhost/node name parameters. These ERlang functions are core to handling management UI rendering for their respective plugins. The XSS vulnerability stems from: 1) Admin-controlled parameters being reflected in HTML responses 2) Lack of output encoding context (vhosts/node names used in HTML without escaping) 3) The functions' role in endpoint handling as part of RabbitMQ's management plugin architecture. While exact line numbers aren't available, the combination of endpoint responsibility and parameter handling makes these functions clear candidates.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pivot*l R***itMQ, *.* v*rsions prior to v*.*.** *n* *.* v*rsion prior to v*.*.*, *n* R***itMQ *or P**, *.**.x v*rsions prior to *.**.* *n* *.**.x v*rsions prior to *.**.*, *ont*in two *n*points, ****r*tion *n* s*ov*l, w*i** *o not prop*rly s*nitiz* u

Reasoning

T** vuln*r**ility *xpli*itly *****ts ****r*tion *n* s*ov*l *n*points t**t `pro**ss` v*ost/no** n*m* p*r*m*t*rs. T**s* `*Rl*n*` *un*tions *r* *or* to **n*lin* m*n***m*nt UI r*n**rin* *or t**ir r*sp**tiv* plu*ins. T** XSS vuln*r**ility st*ms *rom: *) *

3.5

Basic Information

Concerned about an active attack path?

CVE-2019-11291: Cross-site Scripting in RabbitMQ

3.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI