CVE-2019-13274 in Xymon
Summary
by MITRE
In Xymon through 4.3.28, an XSS vulnerability exists in the csvinfo CGI script due to insufficient filtering of the db parameter.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/31/2025
The vulnerability CVE-2019-13274 represents a cross-site scripting flaw in the Xymon monitoring system version 4.3.28 and earlier. This issue specifically affects the csvinfo CGI script which is part of the web interface used for displaying monitoring data in csv format. The vulnerability stems from inadequate input validation and sanitization of the db parameter, which is processed without proper escaping or filtering mechanisms. When an attacker crafts a malicious payload and injects it through this parameter, the script fails to properly encode the output, allowing malicious javascript code to be executed in the context of a victim's browser session.
The technical exploitation of this vulnerability occurs when an attacker manipulates the db parameter in the csvinfo CGI endpoint to include malicious javascript code. The insufficient filtering allows the script to directly incorporate user-supplied data into the web response without proper sanitization, creating a classic XSS attack vector. This vulnerability falls under CWE-79 which categorizes cross-site scripting flaws as weaknesses in input validation and output encoding. The attack can be executed through various means including crafted URLs, malicious email attachments, or by tricking users into clicking on compromised links that contain the malicious payload.
The operational impact of this vulnerability is significant for organizations relying on Xymon for system monitoring and security operations. An attacker who successfully exploits this vulnerability can gain unauthorized access to the monitoring system, potentially stealing sensitive information about network infrastructure, system states, and security events. The compromised session could allow attackers to view confidential monitoring data, manipulate alerts, or even escalate privileges within the monitoring environment. This vulnerability directly impacts the integrity and confidentiality of the monitoring infrastructure, potentially exposing critical system information to unauthorized parties and undermining the security posture of the entire monitored network. The attack vector aligns with ATT&CK technique T1059.007 which covers scripting through web shells and malicious scripts.
Mitigation strategies for this vulnerability include immediate patching of the Xymon system to version 4.3.29 or later where the input validation has been corrected. Organizations should also implement proper input sanitization and output encoding for all CGI scripts handling user-supplied data. Web application firewalls can provide additional protection by filtering suspicious payloads before they reach the vulnerable script. Regular security assessments and input validation reviews should be conducted to prevent similar issues in other components. The fix typically involves implementing proper HTML escaping for all user-supplied parameters and ensuring that the db parameter undergoes strict validation before being processed by the csvinfo CGI script. Network segmentation and access controls should also be reviewed to limit the potential impact of successful exploitation.