27 matches found
BIT-GRAFANA-2025-12141 Grafana Alerting Editors can edit destination of webhooks they did not create
In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit...
CVE-2025-12141
A flaw was found in Grafana's alerting system. Users with editor permissions, specifically those able to write or test alert notifications, can modify contact points created by other users. By changing the endpoint URL to a controlled server and triggering the test functionality, an attacker can...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure via “Contact Point Writer” role that by default grants permission to alert.notifications:write or alert.notifications.receivers:test actions. An attacker can gain unauthorized access to sensitive configuration data,...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure via “Contact Point Writer” role that by default grants permission to alert.notifications:write or alert.notifications.receivers:test actions. An attacker can gain unauthorized access to sensitive configuration data,...
CVE-2025-12141
CVE-2025-12141 affects Grafana Alerting: users with edit permissions on a contact point (alert.notifications:write or alert.notifications.receivers:test) granted via the fixed role Contact Point Writer within the Editor role can modify destinations of contact points created by others. An attacker...
CVE-2025-12141 Grafana Alerting Editors can edit destination of webhooks they did not create
In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit...
Grafana OSS 安全漏洞
Grafana OSS is an open-source visualization dashboard developed by Grafana. There is a security vulnerability in Grafana OSS, which stems from an authorization bypass in the configuration contact point API. This vulnerability could allow users with the Editor role to modify protected Webhook URLs...
CVE-2026-27639
Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting XSS vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives !! !! in display templates. An authenticated user with the User...
CVE-2026-27639
Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting XSS vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives !! !! in display templates. An authenticated user with the User...
CVE-2026-27639 Mercator vulnerable to stored XSS via unescaped Blade directives in display templates
Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting XSS vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives !! !! in display templates. An authenticated user with the User...
CVE-2026-27639
CVE-2026-27639 concerns Mercator, an open‑source web app for mapping information systems. A stored XSS exists in versions prior to 2026.02.22 due to unescaped Blade directives ({!! !!}) in display templates. An authenticated user with the User role can inject JavaScript into fields like “contact ...
CVE-2026-27639 Mercator vulnerable to stored XSS via unescaped Blade directives in display templates
Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting XSS vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives !! !! in display templates. An authenticated user with the User...
PT-2026-21855
Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting XSS vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives !! !! in display templates. An authenticated user with the User...
Information Leakage in Grafana Alerting
In Grafana’s alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role “Contact Point Writer”, which is part of the basic role Editor - can edit...
CVE-2025-3415
A flaw exists in Grafana Alerting, where the DingDing contact-point integration URL can be revealed in plain text to users with viewer-level permissions due to misconfigured access control. This disclosure permits unauthorized users to view sensitive webhook URLs, including API tokens or keys,...
CVE-2024-27176
An attacker can get Remote Code Execution by overwriting files. Overwriting files is enable by falsifying session ID variable. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than...
CVE-2024-27163
Toshiba printers will display the password of the admin user in clear-text and additional passwords when sending 2 specific HTTP requests to the internal API. An attacker stealing the cookie of an admin or abusing a XSS vulnerability can recover this password in clear-text and compromise the...
CVE-2024-27177 Remote Code Execution
An attacker can get Remote Code Execution by overwriting files. Overwriting files is enable by falsifying package name variable. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower th...
CVE-2024-27177
CVE-2024-27177 affects Toshiba multi-function printers (e-studio/Toshiba MFPs). A vulnerability in the handling of the package name variable allows an attacker to overwrite files, enabling Remote Code Execution. The issue can be leveraged in combination with other vulnerabilities and may not be e...
CVE-2024-27176
CVE-2024-27176 affects Toshiba MFP/Toshiba Tec e-STUDIO printers. The root cause is an issue where an attacker can cause Remote Code Execution by overwriting files, enabled by falsifying a session ID variable. The vulnerability is documented as potentially exploitable in combination with other we...