CVSS: 9.8EPSS: 94%CPEs: 4EXPL: 1CVE-2021-39226 – Grafana Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2021-39226
05 Oct 2021 — Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the... • http://www.openwall.com/lists/oss-security/2021/10/05/4 • CWE-287: Improper Authentication CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 12%CPEs: 10EXPL: 1CVE-2020-27846 – crewjam/saml: authentication bypass in saml authentication
https://notcve.org/view.php?id=CVE-2020-27846
21 Dec 2020 — A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Se presenta una vulnerabilidad de verificación de firmas en crewjam/saml. Este fallo permite a un atacante omitir la autenticación SAML. • https://bugzilla.redhat.com/show_bug.cgi?id=1907670 • CWE-115: Misinterpretation of Input •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2020-24303 – grafana: XSS via a query alias for the Elasticsearch and Testdata datasource
https://notcve.org/view.php?id=CVE-2020-24303
28 Oct 2020 — Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. Grafana versiones anteriores a 7.1.0-beta 1, permite un ataque de tipo XSS por medio de un alias de consulta de la fuente de datos de ElasticSearch A flaw was found in grafana. A XSS via a query alias for the ElasticSearch datasource is allowed. Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Issues addressed include bypass and cross site scripting vulnerab... • https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 37%CPEs: 1EXPL: 1CVE-2019-19499 – grafana: arbitrary file read via MySQL data source
https://notcve.org/view.php?id=CVE-2019-19499
28 Aug 2020 — Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations. Grafana versiones anteriores a 6.4.3 incluyéndola, presenta una vulnerabilidad de Lectura Arbitraria de Archivos, que podría ser explotada por un atacante autenticado que tiene privilegios para modificar las configuraciones de la fuente de datos Grafana has an Arbitrary File Read vulnerability, which could be exploited by an authentica... • https://security.netapp.com/advisory/ntap-20200918-0003 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 67%CPEs: 2EXPL: 1CVE-2020-11110 – grafana: stored XSS
https://notcve.org/view.php?id=CVE-2020-11110
27 Jul 2020 — Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. Grafana hasta la versión 6.7.1 permite un ataque de tipo XSS almacenado debido a la insuficiente protección de entrada en el campo originalUrl, lo que permite a un atacante inyectar código JavaScript que se ejecutará después de hacer clic en Open Original Dashboard... • https://github.com/AVE-Stoik/CVE-2020-11110-Proof-of-Concept • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13430 – grafana: XSS via the OpenTSDB datasource
https://notcve.org/view.php?id=CVE-2020-13430
24 May 2020 — Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource. Grafana versiones anteriores a 7.0.0, permite un ataque de tipo XSS del valor de etiqueta por medio de la fuente de datos OpenTSDB. A flaw was found in grafana Tag value XSS via the OpenTSDB datasource are possible. The highest threat from this vulnerability is to data confidentiality and integrity. Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise Ope... • https://github.com/grafana/grafana/pull/24539 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.2EPSS: 0%CPEs: 6EXPL: 1CVE-2020-12458 – grafana: information disclosure through world-readable /var/lib/grafana/grafana.db
https://notcve.org/view.php?id=CVE-2020-12458
29 Apr 2020 — An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords). Se encontró un fallo de divulgación de información en Grafana versiones hasta 6.7.3. El directorio de base de datos /var/lib/grafana y el archivo de base de datos /var/lib/grafana/grafana.db son de tipo world readable. • https://access.redhat.com/security/cve/CVE-2020-12458 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2020-12052 – grafana: XSS annotation popup vulnerability
https://notcve.org/view.php?id=CVE-2020-12052
27 Apr 2020 — Grafana version < 6.7.3 is vulnerable for annotation popup XSS. Grafana versiones anteriores a la versión 6.7.3, es vulnerable a un ataque de tipo XSS del popup de anotaciones. A flaw was found in grafana. The software is vulnerable to an annotation popup XSS. Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. • https://community.grafana.com/t/release-notes-v6-7-x/27119 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 0CVE-2020-12245 – grafana: XSS via column.title or cellLinkTooltip
https://notcve.org/view.php?id=CVE-2020-12245
24 Apr 2020 — Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip. Grafana versiones anteriores a la versiones 6.7.3, permite un ataque de tipo XSS del panel de tabla por medio de column.title o cellLinkTooltip. A flaw was found in grafana. A XSS is possible in table-panel via column.title or cellLinkTooltip. Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 88%CPEs: 2EXPL: 1CVE-2019-15043 – grafana: incorrect access control in snapshot HTTP API leads to denial of service
https://notcve.org/view.php?id=CVE-2019-15043
03 Sep 2019 — In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. En Grafana versión 2.x hasta la versión 6.x en versiones anteriores a la 6.3.4, partes de la API HTTP permiten el uso no autenticado. Esto hace posible ejecutar un ataque de denegación de servicio contra el servidor que ejecuta Grafana. Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, Inf... • https://github.com/h0ffayyy/CVE-2019-15043 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-306: Missing Authentication for Critical Function •