Skip to content

Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint

High
simonpasquier published GHSA-v86x-5fm3-5p7j Aug 23, 2023

Package

No package listed

Affected versions

0.25.0

Patched versions

0.25.1

Description

Impact

An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager.

Patches

Users can upgrade to Alertmanager v0.2.51.

Workarounds

Users can setup a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.

References

N/A

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2023-40577

Weaknesses

Credits