CVSS: 9.8EPSS: 41%CPEs: 5EXPL: 1CVE-2022-26148 – grafana: An information leak issue was discovered in Grafana through 7.3.4, when integrated with Zabbix
https://notcve.org/view.php?id=CVE-2022-26148
21 Mar 2022 — An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address. Se ha detectado un problema en Grafana versiones hasta 7.3.4, cuando es integrado con Zabbix. La contraseña de Zabbix puede encontrarse en el códi... • https://2k8.org/post-319.html • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0CVE-2022-21713 – Exposure of Sensitive Information in Grafana
https://notcve.org/view.php?id=CVE-2022-21713
08 Feb 2022 — Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when e... • https://github.com/grafana/grafana/pull/45083 • CWE-425: Direct Request ('Forced Browsing') CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 13EXPL: 0CVE-2022-21703 – Cross Site Request Forgery in Grafana
https://notcve.org/view.php?id=CVE-2022-21703
08 Feb 2022 — Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as s... • https://github.com/grafana/grafana/pull/45083 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 1CVE-2022-21702 – Cross site scripting in Grafana proxy
https://notcve.org/view.php?id=CVE-2022-21702
08 Feb 2022 — Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the f... • https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-43815 – Grafana directory traversal for `.cvs` files
https://notcve.org/view.php?id=CVE-2021-43815
10 Dec 2021 — Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. • http://www.openwall.com/lists/oss-security/2021/12/10/4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 1%CPEs: 2EXPL: 0CVE-2021-43813 – Directory Traversal in Grafana
https://notcve.org/view.php?id=CVE-2021-43813
10 Dec 2021 — Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. • http://www.openwall.com/lists/oss-security/2021/12/10/4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 96%CPEs: 4EXPL: 1CVE-2021-39226 – Grafana Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2021-39226
05 Oct 2021 — Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the... • http://www.openwall.com/lists/oss-security/2021/10/05/4 • CWE-287: Improper Authentication CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 10EXPL: 1CVE-2020-27846 – crewjam/saml: authentication bypass in saml authentication
https://notcve.org/view.php?id=CVE-2020-27846
21 Dec 2020 — A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Se presenta una vulnerabilidad de verificación de firmas en crewjam/saml. Este fallo permite a un atacante omitir la autenticación SAML. • https://bugzilla.redhat.com/show_bug.cgi?id=1907670 • CWE-115: Misinterpretation of Input •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-24303 – grafana: XSS via a query alias for the Elasticsearch and Testdata datasource
https://notcve.org/view.php?id=CVE-2020-24303
28 Oct 2020 — Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. Grafana versiones anteriores a 7.1.0-beta 1, permite un ataque de tipo XSS por medio de un alias de consulta de la fuente de datos de ElasticSearch A flaw was found in grafana. A XSS via a query alias for the ElasticSearch datasource is allowed. Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Issues addressed include bypass and cross site scripting vulnerab... • https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19499 – grafana: arbitrary file read via MySQL data source
https://notcve.org/view.php?id=CVE-2019-19499
28 Aug 2020 — Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations. Grafana versiones anteriores a 6.4.3 incluyéndola, presenta una vulnerabilidad de Lectura Arbitraria de Archivos, que podría ser explotada por un atacante autenticado que tiene privilegios para modificar las configuraciones de la fuente de datos Grafana has an Arbitrary File Read vulnerability, which could be exploited by an authentica... • https://security.netapp.com/advisory/ntap-20200918-0003 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •