Platform
php
Component
mellivora
Fixed in
2.0.1
2.1.1
CVE-2019-25092 describes a cross-site scripting (XSS) vulnerability discovered in Mellivora, a PHP-based application. This vulnerability allows an attacker to inject malicious scripts into the application, potentially leading to session hijacking or defacement. It affects versions 2.0 through 2.1 and is resolved by upgrading to version 2.2.0.
The vulnerability lies within the printuserip_log function of the user.inc.php file within the Admin Panel component. An attacker can manipulate the $entry['ip'] argument to inject arbitrary JavaScript code. Successful exploitation allows the attacker to execute malicious scripts within the context of the user's browser, potentially stealing session cookies, redirecting users to malicious websites, or modifying the application's content. The impact is amplified if the application is used in a sensitive environment or handles confidential data, as an attacker could gain unauthorized access and compromise user accounts.
This vulnerability was publicly disclosed in December 2022. While a public proof-of-concept is not widely available, the XSS nature of the vulnerability makes it relatively easy to exploit. No confirmed active exploitation campaigns have been reported as of the publication date. The vulnerability is tracked in the Vulners Database as VDB-216955.
Exploit Status
EPSS
0.31% (54% percentile)
CVSS Vector
The primary mitigation for CVE-2019-25092 is to upgrade Mellivora to version 2.2.0, which includes a patch (commit e0b6965f8dde608a3d2621617c05695eb406cbb9) addressing the vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the $entry['ip'] parameter to prevent malicious code injection. Web application firewalls (WAFs) can also be configured to detect and block XSS attempts targeting this specific function. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the user IP log field and verifying that it is properly sanitized.
Actualice Mellivora a la versión 2.2.0 o posterior. Esta versión contiene una corrección para la vulnerabilidad de Cross-Site Scripting (XSS) en el panel de administración. La actualización mitigará el riesgo de ataques XSS a través del parámetro $entry['ip'] en el archivo include/layout/user.inc.php.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25092 is a cross-site scripting (XSS) vulnerability affecting Mellivora versions 2.0 and 2.1, allowing attackers to inject malicious scripts.
You are affected if you are using Mellivora versions 2.0 or 2.1. Upgrade to version 2.2.0 to mitigate the risk.
Upgrade Mellivora to version 2.2.0. This version includes a patch that resolves the vulnerability. Input validation is a temporary workaround.
While no confirmed active exploitation campaigns have been reported, the ease of exploitation means it remains a potential threat.
Refer to the Vulners Database entry VDB-216955 for details and related information: https://vulners.com/VDB-216955
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.