Cross site scripting

Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have contro...

CVE-2023-1410 Stored XSS in Graphite FunctionDescription tooltip

Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have contro...

CVE-2023-1574

Information disclosure in the user creation feature of a MSSQL data source in Devolutions Remote Desktop Manager 2023.1.9 and below on Windows allows an attacker with access to the user interface to obtain sensitive information via the error message dialog that displays the password in clear text...

PT-2023-17090 · Devolutions · Devolutions Remote Desktop Manager

Name of the Vulnerable Software and Affected Versions: Devolutions Remote Desktop Manager versions 2023.1.9 and below Description: The issue concerns information disclosure in the user creation feature of a MSSQL data source. An attacker with access to the user interface can obtain sensitive...

Stored XSS in Graphite FunctionDescription tooltip

Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have contro...

K14122652: Apache Log4j2 vulnerability CVE-2021-44832

Security Advisory Description Apache Log4j2 versions 2.0-beta7 through 2.17.0 excluding security fix releases 2.3.2 and 2.12.4 are vulnerable to a remote code execution RCE attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration...

FreeBSD : Rundeck3 -- Log4J RCE vulnerability (27c822a0-addc-11ed-a9ee-dca632b19f10)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 27c822a0-addc-11ed-a9ee-dca632b19f10 advisory. - Apache Log4j2 versions 2.0-beta7 through 2.17.0 excluding security fix releases 2.3.2 and 2.12.4 are...

UBUNTU-CVE-2023-0482

In RESTEasy the insecure File.createTempFile is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user...

SUSE CVE-2014-5026

Multiple cross-site scripting XSS vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a 1 Graph Tree Title in a delete or 2 edit action; 3 CDEF Name, 4 Data Input Method Name, or 5 Host Templates Name in a delete action; ...

SUSE CVE-2019-15635

An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana e.g., MySQL are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, th...

SUSE CVE-2019-19499

Grafana = 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations...

SUSE CVE-2020-36184

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource...

SUSE CVE-2021-27962

Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access...

SUSE CVE-2021-44832

Apache Log4j2 versions 2.0-beta7 through 2.17.0 excluding security fix releases 2.3.2 and 2.12.4 are vulnerable to a remote code execution RCE attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is...

SUSE CVE-2022-21673

Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token and no other user credentials will forward the OAuth Identity of the most recently...

SUSE CVE-2022-21702

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting XSS attack. The...

SUSE CVE-2022-31130

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with...

SUSE CVE-2023-0482

In RESTEasy the insecure File.createTempFile is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user...

CVE-2023-0760

creationtimestamp| type| source ---|---|--- 2023-02-09 16:24:51+00:00| seen| https://t.me/cibsecurity/57819...

Information Disclosure

github.com/grafana/grafana is vulnerable to Information Disclosure. The vulnerability exists when the data source query cache is enabled, Grafana will cache all headers, including the grafanasession, resulting in any user querying a data source which allows an attacker to acquire another user's...