Quinox

**Name of the Vulnerable Software and Affected Versions** Vitess versions prior to 19.0.8 Vitess versions prior to 20.0.4 Vitess versions prior to 21.0.1 **Description** Vitess is a database clustering system for horizontal scaling of MySQL. The `/debug/querylogz` and `/debug/env` pages for `vtgate` and `vttablet` do not properly escape user input, allowing queries executed by Vitess to write HTML into the monitoring page at will. These pages are rendered using `text/template` instead of a proper HTML templating engine. Anyone looking at the Vitess status page is affected, typically owners or administrators of the Vitess cluster. Anyone who can influence the text that shows up in queries can trigger this issue. **Recommendations** For Vitess versions prior to 19.0.8, update to version 19.0.8 or later. For Vitess versions prior to 20.0.4, update to version 20.0.4 or later. For Vitess versions prior to 21.0.1, update to version 21.0.1 or later. As a temporary workaround, consider restricting access to the `/debug/querylogz` and `/debug/env` pages for `vtgate` and `vttablet` until the issue is resolved. Avoid using queries that include HTML markup until the issue is fixed.