CVSS: 5.4EPSS: 0%CPEs: 10EXPL: 0CVE-2023-6152
https://notcve.org/view.php?id=CVE-2023-6152
A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up. Un usuario que cambia su correo electrónico después de registrarse y verificarlo puede cambiarlo sin verificación en la configuración del perfil. La opción de configuración "verify_email_enabled" solo validará el correo electrónico al registrarse. • https://github.com/grafana/bugbounty/security/advisories/GHSA-3hv4-r2fm-h27f https://grafana.com/security/security-advisories/cve-2023-6152 • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2023-3128 – grafana: account takeover possible when using Azure AD OAuth
https://notcve.org/view.php?id=CVE-2023-3128
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. A flaw was found in Grafana, which validates Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants, which enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application. This may allow an attacker to gain complete control of the user's account, including access to private customer data and sensitive information. • https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp https://grafana.com/security/security-advisories/cve-2023-3128 https://security.netapp.com/advisory/ntap-20230714-0004 https://access.redhat.com/security/cve/CVE-2023-3128 https://bugzilla.redhat.com/show_bug.cgi?id=2213626 • CWE-290: Authentication Bypass by Spoofing CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-34111 – Command Injection Vulnerability in `Release PR Merged` Workflow in taosdata/grafanaplugin
https://notcve.org/view.php?id=CVE-2023-34111
The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of `${{ github.event.pull_request.title }}` in a bash command within the GitHub workflow. Attackers can inject malicious commands which will be executed by the workflow. This happens because `${{ github.event.pull_request.title }}` is directly passed to bash command on like 25 of the workflow. This may allow an attacker to gain access to secrets which the github action has access to or to otherwise make use of the compute resources. • https://github.com/taosdata/grafanaplugin/blob/master/.github/workflows/release-pr-merged.yaml#L25 https://github.com/taosdata/grafanaplugin/security/advisories/GHSA-23wp-p848-hcgr https://securitylab.github.com/research/github-actions-untrusted-input • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-0594 – grafana: cross site scripting
https://notcve.org/view.php?id=CVE-2023-0594
Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix. A flaw was found in the grafana package. This flaw allows a malicious user with the ability to introduce trace data to provide a JavaScript that changes the password for the user viewing the trace view (this could be an admin) to a known password, thus gaining access to the admin account. • https://grafana.com/security/security-advisories/cve-2023-0594 https://access.redhat.com/security/cve/CVE-2023-0594 https://bugzilla.redhat.com/show_bug.cgi?id=2168037 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 0CVE-2022-39324 – Grafana vulnerable to spoofing originalUrl of snapshots
https://notcve.org/view.php?id=CVE-2022-39324
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8. • https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c https://github.com/grafana/grafana/pull/60232 https://github.com/grafana/grafana/pull/60256 https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw https://access.redhat.com/security/cve/CVE-2022-39324 https://bugzilla.redhat.com/show_bug.cgi?id=2148252 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-472: External Control of Assumed-Immutable Web Parameter •