Zack Flack

**Name of the Vulnerable Software and Affected Versions** Monit versions prior to 5.25.3 **Description** The issue is related to a persistent cross-site scripting (XSS) flaw. This allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the `Authorization` header for HTTP Basic Authentication. The vulnerability is exploited during a ` viewlog` operation, which is mishandled. **Recommendations** For Monit versions prior to 5.25.3, update to version 5.25.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the ` viewlog` operation to minimize the risk of exploitation. Avoid using unsanitized user input in the `Authorization` header for HTTP Basic Authentication until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Monit versions prior to 5.25.3 **Description** The issue is related to a buffer over-read in the Util urlDecode function of the Monit utility, which can lead to a denial of service. An attacker can exploit this by manipulating GET or POST parameters, potentially allowing them to retrieve adjacent memory contents or cause an application outage. **Recommendations** For Monit versions prior to 5.25.3, update to version 5.25.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the Util urlDecode function or limiting the manipulation of GET and POST parameters to minimize the risk of exploitation.