cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score CVE-2023-6152,https://securityvulnerability.io/vulnerability/CVE-2023-6152,Email Verification Bypassed in Profile Settings,"A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option ""verify_email_enabled"" will only validate email only on sign up. ",Grafana,"Grafana,Grafana Enterprise",5.4,MEDIUM,0.0006200000061653554,false,,false,false,false,,,false,false,,2024-02-13T21:38:01.404Z,0 CVE-2023-4399,https://securityvulnerability.io/vulnerability/CVE-2023-4399,Request Filtering Bypass in Grafana Enterprise by Grafana Labs,"Grafana Enterprise, a popular open-source monitoring and observability platform, contains a vulnerability in its Request security feature. This feature is designed to prevent access to specific hosts by utilizing a deny list approach configured by administrators. However, an exploit has been identified that allows an attacker to bypass these restrictions through the use of punycode encoding in the request address. By manipulating this encoding, unauthorized requests may be sent to hosts that were intended to be restricted, potentially leading to unauthorized data access and other security risks.",Grafana,Grafana Enterprise,7.2,HIGH,0.0008900000248104334,false,,false,false,false,,,false,false,,2023-10-17T08:15:00.000Z,0 CVE-2023-4822,https://securityvulnerability.io/vulnerability/CVE-2023-4822,Privilege Escalation in Grafana by Organization Admins,"A significant vulnerability in Grafana allows Organization Admins to manipulate user permissions across all organizations they are part of. This flaw enables an admin to elevate their own privileges and modify permissions of other users, effectively granting unauthorized control. While the vulnerability does not allow access to organizations outside the user's membership, it poses a serious risk within the existing organizational structure by allowing potential misuse of admin capabilities.",Grafana,Grafana Enterprise,7.2,HIGH,0.0008900000248104334,false,,false,false,false,,,false,false,,2023-10-16T09:15:00.000Z,0 CVE-2023-3128,https://securityvulnerability.io/vulnerability/CVE-2023-3128,Account Takeover Vulnerability in Grafana for Azure AD Accounts,"Grafana’s integration with Azure Active Directory (AD) has a vulnerability that stems from the email field in Azure AD not being unique and potentially modifiable. This flaw can lead to account takeover and authentication bypass for users who have implemented Azure AD OAuth in a multi-tenant application setup. Attackers could exploit this weakness, gaining unauthorized access to user accounts and sensitive data. It is crucial to update to the latest Grafana version to mitigate these risks.",Grafana,"Grafana,Grafana Enterprise",9.8,CRITICAL,0.0025400000158697367,false,,false,false,false,,,false,false,,2023-06-22T21:15:00.000Z,0 CVE-2023-2183,https://securityvulnerability.io/vulnerability/CVE-2023-2183,Improper Access Control in Grafana Monitoring Platform,"Grafana, a prominent open-source platform for monitoring and observability, suffers from an improper access control vulnerability. Users with the Viewer role can exploit the API to send test alerts, despite the UI restricting this action. This oversight could allow malicious actors to inundate users with spam alerts via email and Slack, potentially facilitating phishing attacks or causing disruption to SMTP servers. To mitigate this risk, users are advised to upgrade to versions 9.5.3, 9.4.12, 9.3.15, 9.2.19, or 8.5.26.",Grafana,"Grafana,Grafana Enterprise",6.4,MEDIUM,0.0008900000248104334,false,,false,false,false,,,false,false,,2023-06-06T19:15:00.000Z,0 CVE-2023-2801,https://securityvulnerability.io/vulnerability/CVE-2023-2801,Query Manipulation Vulnerability in Grafana Monitoring Platform,"Grafana, the open-source monitoring and observability platform, has a vulnerability that allows malicious users to manipulate queries through public dashboards or the query API. This manipulation can lead to the crashing of Grafana instances, disrupting service and impacting users relying on this platform for data visualization. It is crucial for users of affected versions to upgrade to Grafana 9.4.12 or 9.5.3 to mitigate this risk.",Grafana,"Grafana,Grafana Enterprise",5.3,MEDIUM,0.0012000000569969416,false,,false,false,false,,,false,false,,2023-06-06T19:15:00.000Z,0 CVE-2023-1387,https://securityvulnerability.io/vulnerability/CVE-2023-1387,Authentication Bypass in Grafana Monitoring Platform,"Grafana, an open-source monitoring and observability platform, introduced a new functionality that allows searching for a JWT in the 'auth_token' URL query parameter. This feature, when enabled via the 'url_login' configuration option (which is disabled by default), can inadvertently expose JWT tokens to data sources. If an attacker gains access to the data source, they may capture the leaked token and utilize it for authentication purposes in Grafana, potentially compromising the integrity of the system. It is critical for users to assess their configurations and ensure that unnecessary options are not enabled.",Grafana,"Grafana,Grafana Enterprise",7.5,HIGH,0.0014600000577047467,false,,false,false,false,,,false,false,,2023-04-26T14:15:00.000Z,0 CVE-2023-1410,https://securityvulnerability.io/vulnerability/CVE-2023-1410,Stored XSS in Graphite FunctionDescription tooltip,"Grafana is an open-source platform for monitoring and observability.  Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.  Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.",Grafana,"Grafana,Grafana Enterprise",4.8,MEDIUM,0.0006399999838322401,false,,false,false,false,,,false,false,,2023-03-23T08:15:00.000Z,0 CVE-2023-0594,https://securityvulnerability.io/vulnerability/CVE-2023-0594,Stored XSS Vulnerability in Grafana Monitoring Platform,"Grafana, an open-source platform for monitoring and observability, has a vulnerability that allows attackers with Editor privileges to inject malicious JavaScript into trace view visualizations. Due to improper sanitization of span attributes, this XSS vulnerability enables an attacker to execute harmful scripts within the context of another user's session, potentially allowing vertical privilege escalation. Affected users are advised to upgrade to the fixed versions of Grafana to secure their installations.",Grafana,"Grafana,Grafana Enterprise",7.3,HIGH,0.000539999979082495,false,,false,false,false,,,false,false,,2023-03-01T16:15:00.000Z,0 CVE-2023-0507,https://securityvulnerability.io/vulnerability/CVE-2023-0507,Stored XSS Vulnerability in Grafana's GeoMap Plugin,"Grafana's core plugin, GeoMap, is vulnerable to stored XSS due to inadequate sanitization of map attributions. This allows an attacker with Editor privileges to execute arbitrary JavaScript in the context of any logged-in user, including Admins, thereby creating a potential vertical privilege escalation scenario. To mitigate this risk, users should upgrade to the patched versions: 8.5.21, 9.2.13, or 9.3.8.",Grafana,"Grafana,Grafana Enterprise",5.4,MEDIUM,0.000699999975040555,false,,false,false,false,,,false,false,,2023-03-01T16:15:00.000Z,0