Page 3 of 35 results (0.006 seconds)

CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 0

Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8. • https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c https://github.com/grafana/grafana/pull/60232 https://github.com/grafana/grafana/pull/60256 https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw https://access.redhat.com/security/cve/CVE-2022-39324 https://bugzilla.redhat.com/show_bug.cgi?id=2148252 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-472: External Control of Assumed-Immutable Web Parameter •

CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. • https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84 https://security.netapp.com/advisory/ntap-20221215-0004 https://access.redhat.com/security/cve/CVE-2022-39306 https://bugzilla.redhat.com/show_bug.cgi?id=2138014 • CWE-20: Improper Input Validation CWE-303: Incorrect Implementation of Authentication Algorithm •

CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 0

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. • https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5 https://security.netapp.com/advisory/ntap-20221215-0004 https://access.redhat.com/security/cve/CVE-2022-39307 https://bugzilla.redhat.com/show_bug.cgi?id=2138015 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. • https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177 https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f https://github.com/grafana/grafana/releases/tag/v9.1.8 https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc https://access.redhat.com/security/cve/CVE-2022-31130 https://bugzilla.redhat.com/show_bug.cgi?id=2131146 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0

Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. • https://github.com/grafana/grafana/commit/5644758f0c5ae9955a4e5480d71f9bef57fdce35 https://github.com/grafana/grafana/releases/tag/v9.1.8 https://github.com/grafana/grafana/security/advisories/GHSA-gj7m-853r-289r https://access.redhat.com/security/cve/CVE-2022-39229 https://bugzilla.redhat.com/show_bug.cgi?id=2131149 • CWE-287: Improper Authentication •