CVE-2019-3826:
Withdrawn Advisory: Prometheus XSS Vulnerability
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.85233%
CWE
Published
12/13/2023
Updated
12/18/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/prometheus/prometheus | go | < 2.7.1 | 2.7.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability was addressed in commit ea254ee by removing these custom highlighting functions entirely. The DOM-based XSS stemmed from how user-controlled input from URLs was processed and persisted in query history. The JavaScript highlight function directly manipulated DOM elements with unsanitized input, while the Go function generated unsafe HTML output. Both were replaced with proper sanitization via prism.js in the fix.