An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager.
Users can upgrade to Alertmanager v0.2.51.
Users can setup a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.
N/A
CPE | Name | Operator | Version |
---|---|---|---|
github.com/prometheus/alertmanager | lt | 0.25.1 |