CVSS: 6.9EPSS: 75%CPEs: 1EXPL: 0CVE-2021-41174 – XSS vulnerability allowing arbitrary JavaScript execution
https://notcve.org/view.php?id=CVE-2021-41174
03 Nov 2021 — Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for Ang... • https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 94%CPEs: 4EXPL: 1CVE-2021-39226 – Grafana Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2021-39226
05 Oct 2021 — Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the... • http://www.openwall.com/lists/oss-security/2021/10/05/4 • CWE-287: Improper Authentication CWE-639: Authorization Bypass Through User-Controlled Key •