Количество 380
Количество 380
GHSA-jv32-5578-pxjc
Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
GHSA-jfp3-g5xg-h74p
The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.
GHSA-hjv9-hm2f-rpcj
Grafana vulnerable to Cross-site Scripting
GHSA-gj7m-853r-289r
Grafana when using email as a username can block other users from signing in
GHSA-fw9c-75hh-89p6
Grafana privilege escalation vulnerability
GHSA-ff5c-938w-8c9q
Grafana Escalation from admin to server admin when auth proxy is used
GHSA-cvm3-pp2j-chr3
Grafana has Broken Access Control in Alert manager: Viewer can send test alerts
GHSA-cmq2-j8v8-2q44
Grafana XSS in Dashboard Text Panel
GHSA-ccmg-w4xm-p28v
Grafana XSS in header column rename
GHSA-c6x5-653c-4grh
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
GHSA-c3h9-vpfv-3x4m
Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.
GHSA-9hv8-4frf-cprf
Grafana XSS via a column style
GHSA-8pjx-jj86-j47p
Grafana path traversal
GHSA-7rqg-hjwc-6mjf
Grafana vulnerable to Stored Cross-site Scripting in Text plugin
GHSA-7phr-6cc9-4m5q
Grafana Cross-site Scripting vulnerability
GHSA-7m2x-qhrq-rp8h
Grafana XSS via the OpenTSDB datasource
GHSA-7533-c8qv-jm9m
Grafana directory traversal for .cvs files
GHSA-6wh2-8hw7-jw94
Grafana XSS via adding a link in General feature
GHSA-69j6-29vr-p3j9
Authentication bypass for viewing and deletions of snapshots
GHSA-6858-383c-7xhr
Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
| GHSA-jv32-5578-pxjc Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins | CVSS3: 4.9 | 0% Низкий | около 1 года назад |
| GHSA-jfp3-g5xg-h74p The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have. | CVSS3: 6.5 | 1% Низкий | около 3 лет назад |
| GHSA-hjv9-hm2f-rpcj Grafana vulnerable to Cross-site Scripting | CVSS3: 5.4 | 66% Средний | больше 2 лет назад |
| GHSA-gj7m-853r-289r Grafana when using email as a username can block other users from signing in | CVSS3: 4.3 | 0% Низкий | около 1 года назад |
| GHSA-fw9c-75hh-89p6 Grafana privilege escalation vulnerability | CVSS3: 6.7 | 1% Низкий | больше 1 года назад |
| GHSA-ff5c-938w-8c9q Grafana Escalation from admin to server admin when auth proxy is used | CVSS3: 6.6 | 1% Низкий | около 1 года назад |
| GHSA-cvm3-pp2j-chr3 Grafana has Broken Access Control in Alert manager: Viewer can send test alerts | CVSS3: 4.1 | 1% Низкий | около 2 лет назад |
| GHSA-cmq2-j8v8-2q44 Grafana XSS in Dashboard Text Panel | CVSS3: 6.1 | 0% Низкий | больше 1 года назад |
| GHSA-ccmg-w4xm-p28v Grafana XSS in header column rename | CVSS3: 6.1 | 3% Низкий | около 3 лет назад |
| GHSA-c6x5-653c-4grh In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. | CVSS3: 7.5 | 91% Критический | около 3 лет назад |
| GHSA-c3h9-vpfv-3x4m Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana. | CVSS3: 4.2 | 0% Низкий | около 2 лет назад |
| GHSA-9hv8-4frf-cprf Grafana XSS via a column style | CVSS3: 6.1 | 1% Низкий | около 3 лет назад |
| GHSA-8pjx-jj86-j47p Grafana path traversal | CVSS3: 7.5 | 94% Критический | больше 1 года назад |
| GHSA-7rqg-hjwc-6mjf Grafana vulnerable to Stored Cross-site Scripting in Text plugin | CVSS3: 6.4 | 7% Низкий | больше 2 лет назад |
| GHSA-7phr-6cc9-4m5q Grafana Cross-site Scripting vulnerability | CVSS3: 5.4 | 7% Низкий | около 3 лет назад |
| GHSA-7m2x-qhrq-rp8h Grafana XSS via the OpenTSDB datasource | CVSS3: 6.1 | 0% Низкий | около 3 лет назад |
| GHSA-7533-c8qv-jm9m Grafana directory traversal for .cvs files | CVSS3: 4.3 | 1% Низкий | около 1 года назад |
| GHSA-6wh2-8hw7-jw94 Grafana XSS via adding a link in General feature | CVSS3: 6.1 | 1% Низкий | больше 1 года назад |
| GHSA-69j6-29vr-p3j9 Authentication bypass for viewing and deletions of snapshots | CVSS3: 7.3 | 94% Критический | больше 3 лет назад |
| GHSA-6858-383c-7xhr Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access. | CVSS3: 7.1 | 0% Низкий | около 3 лет назад |
Уязвимостей на страницу