Lucene search
GoogleOSV:GHSA-V86X-5FM3-5P7JHistoryAug 23, 2023 - 8:42 p.m.
Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint
2023-08-2320:42:43
Google
osv.dev
24
alertmanager
stored xss
endpoint
upgrade
reverse proxy
mitigation
0.0004 Low
EPSS
Percentile
13.3%
Impact
An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager.
Patches
Users can upgrade to Alertmanager v0.2.51.
Workarounds
Users can setup a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.
References
N/A
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/prometheus/alertmanager | lt | 0.25.1 |
Related
openvas
openvas
Debian: Security Advisory (DLA-3609-1)
2023-10-09 00:00:00
openSUSE: Security Advisory for golang (SUSE-SU-2024:0512-1)
2024-03-04 00:00:00
alpinelinux
alpinelinux
CVE-2023-40577
2023-08-25 01:15:09
nessus
nessus
osv
osv
prometheus-alertmanager - security update
2023-10-08 00:00:00
CVE-2023-40577
2023-08-25 01:15:09
ubuntucve
ubuntucve
CVE-2023-40577
2023-08-25 00:00:00
debian
debian
[SECURITY] [DLA 3609-1] prometheus-alertmanager security update
2023-10-08 10:15:10
cvelist
cvelist
prion
prion
Code injection
2023-08-25 01:15:00
wolfi
wolfi
CVE-2023-40577 vulnerabilities
2024-05-24 17:23:29
veracode
veracode
Cross-site Scripting (XSS)
2023-08-25 02:53:58
redhatcve
redhatcve
CVE-2023-40577
2023-08-29 15:21:59
debiancve
debiancve
CVE-2023-40577
2023-08-25 01:15:09
cgr
cgr
CVE-2023-40577 vulnerabilities
2024-05-19 03:07:16
github
github
Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint
2023-08-23 20:42:43
cve
cve
CVE-2023-40577
2023-08-25 01:15:09
redhat
redhat