CVSS: 6.5EPSS: 86%CPEs: 3EXPL: 0CVE-2021-29622 – Arbitrary redirects under /new endpoint
https://notcve.org/view.php?id=CVE-2021-29622
19 May 2021 — Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. • https://github.com/prometheus/prometheus/releases/tag/v2.26.1 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 2%CPEs: 2EXPL: 0CVE-2019-3826
https://notcve.org/view.php?id=CVE-2019-3826
26 Mar 2019 — A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts. Se ha detectado un error de Cross-Site Scripting (XSS) almacenado basado en DOM en Prometheus, en versiones anteriores a la 2.7.1. Un atacante podría explotar esta vulnerabilidad convenciendo a un usuario autenticado para que v... • https://access.redhat.com/errata/RHBA-2019:0327 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •