2 results (0.002 seconds)

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

CVE-2021-29622 – Arbitrary redirects under /new endpoint

https://notcve.org/view.php?id=CVE-2021-29622

Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. • https://github.com/prometheus/prometheus/releases/tag/v2.26.1 https://github.com/prometheus/prometheus/releases/tag/v2.27.1 https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7 https://access.redhat.com/security/cve/CVE-2021-29622 https://bugzilla.redhat.com/show_bug.cgi?id=1962718 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

CVE-2019-3826

https://notcve.org/view.php?id=CVE-2019-3826

A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts. Se ha detectado un error de Cross-Site Scripting (XSS) almacenado basado en DOM en Prometheus, en versiones anteriores a la 2.7.1. Un atacante podría explotar esta vulnerabilidad convenciendo a un usuario autenticado para que visite una URL manipulada en un servidor de Prometheus, lo que permite la ejecución y el almacenamiento persistente de scripts arbitrarios. • https://access.redhat.com/errata/RHBA-2019:0327 https://advisory.checkmarx.net/advisory/CX-2019-4297 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3826 https://github.com/prometheus/prometheus/commit/62e591f9 https://github.com/prometheus/prometheus/pull/5163 https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8%40%3Ccommits.zookeeper.apache.org%3E https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177%40%3Ccommits.zookeeper.apache.org%3E https: • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •