Page 7 of 33 results (0.008 seconds)

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0

Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. • http://www.openwall.com/lists/oss-security/2021/11/15/1 https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes https://security.netapp.com/advisory/ntap-20211223-0001 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere CWE-863: Incorrect Authorization •

CVSS: 6.9EPSS: 95%CPEs: 1EXPL: 0

Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(‘alert(1)’)()}}. • https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912 https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82 https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88 https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8 https://security.netapp.com/advisory/ntap-20211125-0003 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 91%CPEs: 4EXPL: 1

Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. • http://www.openwall.com/lists/oss-security/2021/10/05/4 https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269 https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9 https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11 https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT https://lists.fedoraproject • CWE-287: Improper Authentication CWE-639: Authorization Bypass Through User-Controlled Key •