CVE-2024-53257
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-53257
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-53257.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-53257
- Aliases
- Downstream
- Related
- Published
- 2024-12-03T15:46:40Z
- Modified
- 2025-11-13T19:51:14.695147Z
- Severity
-
- 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Vitess allows HTML injection in /debug/querylogz & /debug/env
- Details
-
Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8.
- Database specific
{ "cwe_ids": [ "CWE-79" ] }- References
Affected packages
Git / github.com/vitessio/vitess
Affected ranges
Affected versions
v0.*
v0.10.0
v0.10.2
v0.19.0
v0.19.0-rc1
v0.19.1
v0.19.3
v0.19.4
v0.19.5
v0.19.6
v0.19.7
v0.21.0
v0.21.0-rc1
v0.21.0-rc2
v0.8.0
v0.9.0
v0.9.1
v10.*
v10.0.0
v10.0.0-rc1
v10.0.0-rc1-mysql80
v10.0.1
v10.0.2
v11.*
v11.0.0-rc1
v19.*
v19.0.0
v19.0.0-rc1
v19.0.1
v19.0.3
v19.0.4
v19.0.5
v19.0.6
v19.0.7
v2.*
v2.0.0-alpha1
v2.0.0-alpha2
v2.0.0-alpha3
v2.0.0-alpha4
v2.0.0-alpha5
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-rc.1
v2.0.0-rc.2
v2.1.0-alpha.1
v2.2
v2.2-alpha
v2.2.0-rc.1
v21.*
v21.0.0
v21.0.0-rc1
v21.0.0-rc2
v3.*
v3.0
v3.0.0-rc.1
v3.0.0-rc.2
v3.0.0-rc.3
v5.*
v5.0.0
v5.0.1
v6.*
v6.0.0-rc.1
v7.*
v7.0.0-beta
v8.*
v8.0.0
v8.0.0-rc1
v8.0.0-test
v9.*
v9.0.0
v9.0.0-rc1
v9.0.1
v9.0.2