CVE-2019-25367

Name of the Vulnerable Software and Affected Versions ArangoDB Community Edition version 3.4.2-1

Description The ArangoDB Community Edition contains multiple cross-site scripting issues within the Aardvark web admin interface, specifically in the ‘index.html’ file. These issues are present in search functionality, user management features, and through various API parameters. An attacker can inject scripts via parameters in the / db/ system/ admin/aardvark/index.html endpoint, leading to the execution of JavaScript code within the browsers of authenticated users.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider carefully validating and sanitizing all user inputs to the / db/ system/ admin/aardvark/index.html endpoint. Restrict access to the Aardvark web admin interface to trusted users only.