Miggo Logo

CVE-2019-3826:
Withdrawn Advisory: Prometheus XSS Vulnerability

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.85233%
Published
12/13/2023
Updated
12/18/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/prometheus/prometheusgo< 2.7.12.7.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was addressed in commit ea254ee by removing these custom highlighting functions entirely. The DOM-based XSS stemmed from how user-controlled input from URLs was processed and persisted in query history. The JavaScript highlight function directly manipulated DOM elements with unsanitized input, while the Go function generated unsafe HTML output. Both were replaced with proper sanitization via prism.js in the fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Wit**r*wn **visory T*is **visory **s ***n wit**r*wn ****us* t** vuln*r**ility *o*s not *pply to t** Prom*t**us *ol*n* p**k***. T*is link is m*int*in** to pr*s*rv* *xt*rn*l r***r*n**s. ## Ori*in*l **s*ription * stor**, *OM **s**, *ross-sit* s*ript

Reasoning

T** vuln*r**ility w*s ***r*ss** in *ommit ******* *y r*movin* t**s* *ustom *i**li**tin* *un*tions *ntir*ly. T** *OM-**s** XSS st*mm** *rom *ow us*r-*ontroll** input *rom URLs w*s pro**ss** *n* p*rsist** in qu*ry *istory. T** J*v*S*ript *i**li**t *un*