Количество 391
Количество 391
RLSA-2025:7894
Important: grafana security update
RLSA-2025:7892
Important: grafana security update
RLSA-2023:4030
Critical: grafana security update
RLSA-2022:1781
Low: grafana security, bug fix, and enhancement update
RLSA-2021:3771
Important: grafana security update
GHSA-xw5p-hw8j-xg4q
Grafana vulnerable to Cross-site Scripting
GHSA-xfc5-hp99-89qr
The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.
GHSA-x744-mm8v-vpgr
Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
GHSA-x5fh-fvvr-892f
Grafana XSS Vulnerability
GHSA-x2w4-c67p-g44j
Grafana Missing Synchronization vulnerability
GHSA-vqc4-mpj8-jxch
Grafana Race condition allowing privilege escalation
GHSA-vq62-87gp-hrvv
Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI.
GHSA-vfhw-75mr-pg52
An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box.
GHSA-qrrg-gw7w-vp76
Grafana Stored Cross-site Scripting in Graphite FunctionDescription tooltip
GHSA-qhvm-m99m-qq44
One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.
GHSA-q99m-qcv4-fpm7
Grafana Command Injection And Local File Inclusion Via Sql Expressions
GHSA-q8jm-f67m-5xxq
** DISPUTED ** Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. NOTE: the vendor considers this a UI bug, not a vulnerability.
GHSA-q53q-gxq9-mgrj
Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin
GHSA-p978-56hq-r492
Grafana folders admin only permission privilege escalation
GHSA-mvpr-q6rh-8vrp
Grafana XSS via a query alias for the ElasticSearch datasource
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | RLSA-2025:7894 Important: grafana security update | 15% Средний | 3 месяца назад | |
| RLSA-2025:7892 Important: grafana security update | 15% Средний | около 1 месяца назад | |
| RLSA-2023:4030 Critical: grafana security update | 2% Низкий | больше 2 лет назад | |
| RLSA-2022:1781 Low: grafana security, bug fix, and enhancement update | 6% Низкий | больше 3 лет назад | |
| RLSA-2021:3771 Important: grafana security update | 94% Критический | около 4 лет назад | |
| GHSA-xw5p-hw8j-xg4q Grafana vulnerable to Cross-site Scripting | CVSS3: 5.4 | 40% Средний | больше 2 лет назад |
| GHSA-xfc5-hp99-89qr The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have. | 0% Низкий | больше 3 лет назад | |
| GHSA-x744-mm8v-vpgr Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins | CVSS3: 6.8 | 1% Низкий | больше 1 года назад |
| GHSA-x5fh-fvvr-892f Grafana XSS Vulnerability | CVSS3: 5.4 | 1% Низкий | больше 3 лет назад |
| GHSA-x2w4-c67p-g44j Grafana Missing Synchronization vulnerability | CVSS3: 7.5 | 1% Низкий | больше 2 лет назад |
| GHSA-vqc4-mpj8-jxch Grafana Race condition allowing privilege escalation | CVSS3: 9.8 | 1% Низкий | больше 1 года назад |
| GHSA-vq62-87gp-hrvv Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. | CVSS3: 7.5 | 62% Средний | больше 3 лет назад |
| GHSA-vfhw-75mr-pg52 An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box. | CVSS3: 4.9 | 0% Низкий | больше 3 лет назад |
| GHSA-qrrg-gw7w-vp76 Grafana Stored Cross-site Scripting in Graphite FunctionDescription tooltip | CVSS3: 6.2 | 1% Низкий | больше 2 лет назад |
| GHSA-qhvm-m99m-qq44 One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance. | CVSS3: 7.5 | 4% Низкий | больше 3 лет назад |
| GHSA-q99m-qcv4-fpm7 Grafana Command Injection And Local File Inclusion Via Sql Expressions | CVSS3: 9.9 | 92% Критический | около 1 года назад |
| GHSA-q8jm-f67m-5xxq ** DISPUTED ** Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. NOTE: the vendor considers this a UI bug, not a vulnerability. | CVSS3: 7.5 | 11% Средний | больше 3 лет назад |
| GHSA-q53q-gxq9-mgrj Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin | CVSS3: 7.6 | 15% Средний | 5 месяцев назад |
| GHSA-p978-56hq-r492 Grafana folders admin only permission privilege escalation | CVSS3: 7.6 | 0% Низкий | больше 1 года назад |
| GHSA-mvpr-q6rh-8vrp Grafana XSS via a query alias for the ElasticSearch datasource | CVSS3: 6.1 | 0% Низкий | больше 3 лет назад |
Уязвимостей на страницу