CVE-2024-53257
CVSS 3.1 Score 4.9 of 10 (medium)
Details
Published Dec 3, 2024
CWE ID 79
Summary
CVE-2024-53257 is a vulnerability affecting Vitess, a database clustering system for MySQL. The issue lies with the /debug/querylogz and /debug/env pages in vtgate and vttablet components, which fail to properly escape user input. Malicious queries can write HTML code into the monitoring pages, leading to cross-site scripting (XSS) attacks. These pages render HTML using text/template instead of utilizing a proper HTML templating engine, increasing the risk. This vulnerability is resolved in Vitess versions 21.0.1, 20.0.4, and 19.0.8.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Share