VYPR
← All advisories
Low severityNVD Advisory· Published Sep 22, 2020· Updated Sep 16, 2024

Cross-site Scripting (XSS)

CVE-2020-7734

Description

All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cabot monitoring service is vulnerable to Cross-site Scripting (XSS) through the Endpoint column, allowing injection of malicious scripts.

All versions of the cabot package are vulnerable to Cross-site Scripting (XSS) via the Endpoint column [1]. This occurs because user-supplied input in the Endpoint field is not properly sanitized before being rendered in the web interface, allowing an attacker to inject arbitrary HTML or JavaScript [2].

An attacker can exploit this by providing a malicious payload in the Endpoint column, which is then stored and executed in the browser of any user viewing the affected endpoint list. The attack requires no special privileges, as the Endpoint input is typically accessible to any user who can create or edit services in cabot [3].

Successful exploitation enables the attacker to execute arbitrary scripts in the context of the victim’s session, potentially leading to session hijacking, data theft, or further actions against the cabot instance [2].

As of the latest information, there is no patched version of cabot available, and the project is not actively maintained [3]. Users are advised to restrict access to the cabot application or consider migrating to an alternative monitoring solution.

References
  1. NVD - CVE-2020-7734
  2. Snyk Vulnerability Database | Snyk
  3. GitHub - arachnys/cabot: Self-hosted, easily-deployable monitoring and alerts service - like a lightweight PagerDuty

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
cabotPyPI
<= 0.11.16

Affected products

3

Patches

1
eb0b3544f8c8

Merge pull request #694 from 418sec/1-pip-cabot

https://github.com/arachnys/cabotDavid BuxtonJan 5, 2021via ghsa
commit
2 files changed · +3 1
  • cabot/cabotapp/models/base.py+2 0 modified
    @@ -9,6 +9,7 @@
 
 from celery.exceptions import SoftTimeLimitExceeded
 from celery.utils.log import get_task_logger
+from django.core.validators import URLValidator
 from django.conf import settings
 from django.contrib.auth.models import User
 from django.db import models
@@ -472,6 +473,7 @@ class StatusCheck(PolymorphicModel):
     endpoint = models.TextField(
         null=True,
         help_text='HTTP(S) endpoint to poll.',
+        validators = [URLValidator()],
     )
     username = models.TextField(
         blank=True,
  • cabot/templates/cabotapp/statuscheck_detail.html+1 1 modified
    @@ -78,7 +78,7 @@ <h3 class="pull-left">Check results</h3>
           </td>
           <td>{{ result.time_complete }}</td>
           <td>{{ result.took }}</td>
-          <td>{% autoescape off %}{{ result.error|default:"" }}{% endautoescape %}</td>
+          <td>{{ result.error|default:"" }}</td>
         </tr>
       {% endfor %}
       </tbody>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.