CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-1313 – Users outside an organization can delete a snapshot with its key
https://notcve.org/view.php?id=CVE-2024-1313
26 Mar 2024 — It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/
CVSS: 7.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-1442 – User with permissions to create a data source can CRUD all data sources
https://notcve.org/view.php?id=CVE-2024-1442
07 Mar 2024 — A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization. Un usuario con permisos para crear una fuente de datos puede usar Grafana API para crear una fuente de datos con UID configurado en *. Hacer esto le otorgará al usuario acceso para leer, consultar, editar y eliminar todas las fuentes de datos dentro de la organización. A flaw was foun... • https://grafana.com/security/security-advisories/cve-2024-1442 • CWE-269: Improper Privilege Management •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5122 – SSRF in CSV Datasource Plugin
https://notcve.org/view.php?id=CVE-2023-5122
14 Feb 2024 — Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to a bare host with no path (e.g. https://www.example.com/ https://www.example.com/` ), requests to an endpoint other than the one configured by the administrator could be triggered by a specially crafted request fro... • https://grafana.com/security/security-advisories/cve-2023-5122 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5123 – Improper Path Sanitization in JSON Datasource Plugin
https://notcve.org/view.php?id=CVE-2023-5123
14 Feb 2024 — The JSON datasource plugin ( https://grafana.com/grafana/plugins/marcusolsson-json-datasource/ ) is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing JSON data from a remote endpoint (including a specific sub-path) configured by an administrator. Due to inadequate sanitization of the dashboard-supplied path parameter, it was possible to include path traversal characters (../) in the path parameter and send requests to paths on the configured endpoint outside the configur... • https://grafana.com/security/security-advisories/cve-2023-5123 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0CVE-2023-6152
https://notcve.org/view.php?id=CVE-2023-6152
13 Feb 2024 — A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up. Un usuario que cambia su correo electrónico después de registrarse y verificarlo puede cambiarlo sin verificación en la configuración del perfil. La opción de configuración "verify_email_enabled" solo validará el correo electrónico al registrarse. • https://github.com/grafana/bugbounty/security/advisories/GHSA-3hv4-r2fm-h27f • CWE-863: Incorrect Authorization •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3010
https://notcve.org/view.php?id=CVE-2023-3010
25 Oct 2023 — Grafana is an open-source platform for monitoring and observability. The WorldMap panel plugin, versions before 1.0.4 contains a DOM XSS vulnerability. Grafana es una plataforma de código abierto para monitorización y observabilidad. El complemento del panel WorldMap, versiones anteriores a la 1.0.4, contiene una vulnerabilidad de DOM XSS. • https://grafana.com/security/security-advisories/cve-2023-3010 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-4399
https://notcve.org/view.php?id=CVE-2023-4399
17 Oct 2023 — Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used punycode encoding of the characters in the request address. Grafana es una plataforma de código abierto para monitorización y observabilidad. En Grafana Enterprise, la seguridad de solicitudes es una lista de denegación que permite a los admin... • https://grafana.com/security/security-advisories/cve-2023-4399 • CWE-183: Permissive List of Allowed Inputs •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4457
https://notcve.org/view.php?id=CVE-2023-4457
16 Oct 2023 — Grafana is an open-source platform for monitoring and observability. The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability. The plugin did not properly sanitize error messages, making it potentially expose the Google Sheet API-key that is configured for the data source. This vulnerability was fixed in version 1.2.2. Grafana es una plataforma de código abierto para monitorización y observabilidad. • https://grafana.com/security/security-advisories/cve-2023-4457 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-4822 – grafana: incorrect assessment of permissions across organizations
https://notcve.org/view.php?id=CVE-2023-4822
16 Oct 2023 — Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally. This means that any Organization Admin can elevate th... • https://grafana.com/security/security-advisories/cve-2023-4822 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 18%CPEs: 10EXPL: 0CVE-2023-3128 – grafana: account takeover possible when using Azure AD OAuth
https://notcve.org/view.php?id=CVE-2023-3128
22 Jun 2023 — Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. A flaw was found in Grafana, which validates Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants, which enables Grafana account takeover and authentication bypass when Azure AD OAuth i... • https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp • CWE-290: Authentication Bypass by Spoofing CWE-305: Authentication Bypass by Primary Weakness •