cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score CVE-2024-11741,https://securityvulnerability.io/vulnerability/CVE-2024-11741,Exposure in Grafana Alerting VictorOps Integration Affects Users with Viewer Permission,"A vulnerability in the Grafana Alerting VictorOps integration allows unauthorized access for users with Viewer permissions. This flaw in the open-source monitoring platform potentially exposes sensitive information, emphasizing the importance of implementing proper access controls and updates. Upgrades are recommended to versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11, and 10.4.15 to mitigate risks.",Grafana,Grafana,4.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-31T15:12:29.122Z,0 CVE-2024-9476,https://securityvulnerability.io/vulnerability/CVE-2024-9476,Privilege Escalation Vulnerability in Grafana Labs Grafana OSS and Enterprise,"A vulnerability in Grafana Labs' Grafana OSS and Enterprise products enables privilege escalation, potentially allowing users to access resources belonging to other organizations within the same Grafana instance. This issue specifically affects users who employ the Organizations feature to segregate resources. With this vulnerability, an unauthorized user could exploit the Grafana Cloud Migration Assistant, undermining the intended isolation of resources between organizations. It is imperative for users relying on the Organizations feature to evaluate their configurations and apply necessary security updates to mitigate the risks associated with this design flaw.",Grafana Labs,,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-11-13T17:15:00.000Z,0 CVE-2024-10452,https://securityvulnerability.io/vulnerability/CVE-2024-10452,Unauthorized Invite Deletion in Grafana by Admins,A significant security flaw in Grafana permits organization administrators to delete pending invites that were created in organizations to which they do not belong. This unauthorized access could lead to unintentional disruptions in user collaboration and may compromise the integrity of invite management within affected Grafana instances. Users are advised to apply the latest updates and review access controls to mitigate potential risks associated with this vulnerability.,Grafana,Grafana,2.7,LOW,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-10-29T16:15:00.000Z,0 CVE-2024-9264,https://securityvulnerability.io/vulnerability/CVE-2024-9264,Grafana SQL Expressions Vulnerability: Command Injection and Local File Inclusion Risks,"The experimental SQL Expressions feature in Grafana enables users to evaluate `duckdb` queries which can contain user input. However, the queries are inadequately sanitized prior to being processed by `duckdb`, creating a vulnerability that could lead to command injection and local file inclusion. Users with VIEWER or higher permissions are capable of executing this type of attack. Additionally, the successful execution of this attack requires the `duckdb` binary to be present in Grafana's execution $PATH, which is not installed by default in Grafana distributions. This vulnerability emphasizes the need for robust input validation in applications that allow user-derived queries.",Grafana,Grafana,8.8,HIGH,0.18512000143527985,false,,true,false,true,2024-10-17T01:00:00.000Z,true,true,true,2024-10-23T08:52:02.695Z,2024-10-18T03:20:52.489Z,9915 CVE-2024-8118,https://securityvulnerability.io/vulnerability/CVE-2024-8118,Wrong Permission in Grafana's Alert Rule Write API Endpoint Allows Unauthorized Rule Writing,"A vulnerability exists in Grafana where incorrect permission settings on the alert rule write API endpoint provide users with write access to external alert instances, inadvertently allowing them to modify alert rules. This misconfiguration can lead to unintentional alterations of important alert settings, posing potential security risks for organizations that rely on Grafana for monitoring and alerting. It is crucial for users running affected versions to update their installations to mitigate this risk and maintain the integrity of their alerting systems.",Grafana,Grafana,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-09-26T18:46:07.048Z,0 CVE-2024-8975,https://securityvulnerability.io/vulnerability/CVE-2024-8975,Privilege Escalation Vulnerability in Grafana Alloy,"An unquoted search path vulnerability present in Grafana Alloy on Windows systems can enable a local user to escalate their privileges to that of the SYSTEM account. This issue affects Alloy versions prior to 1.3.3 and those from 1.4.0-rc.0 to 1.4.0-rc.1, exposing these versions to potential exploitation when proper path handling is not observed.",Grafana,Alloy,7.8,HIGH,0.0004199999966658652,false,,false,false,false,,,false,false,,2024-09-25T17:15:00.000Z,0 CVE-2024-8996,https://securityvulnerability.io/vulnerability/CVE-2024-8996,Privilege Escalation Vulnerability in Grafana Agent Flow Mode for Windows,"A vulnerability exists in Grafana Agent (Flow mode) on Windows due to an unquoted search path or element. This flaw allows local users to escalate their privileges to that of the SYSTEM user, potentially granting them unauthorized access and control over critical system functions. The affected versions include Grafana Agent prior to 0.43.2, emphasizing the importance of updating to mitigate the risks associated with this security issue.",Grafana,Agent Flow,7.8,HIGH,0.0004199999966658652,false,,false,false,false,,,false,false,,2024-09-25T17:15:00.000Z,0 CVE-2024-8986,https://securityvulnerability.io/vulnerability/CVE-2024-8986,Grafana Plugin SDK Includes Build Metadata and Credentials in Binaries,"The Grafana Plugin SDK has a vulnerability that allows sensitive information to be embedded in compiled binaries during the build process. When developers use repository URIs containing credentials for private dependencies, this information can be inadvertently included in the final product. This exposure poses a significant risk, as attackers could potentially exploit these credentials to gain unauthorized access to repositories or other resources.",Grafana-plugin-sdk-go,Grafana Plugin Sdk,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-09-19T10:57:01.035Z,0 CVE-2024-6322,https://securityvulnerability.io/vulnerability/CVE-2024-6322,Access Control Bypass in Grafana Plugin by Grafana Labs,"An access control bypass vulnerability exists in the Grafana plugin, allowing unauthorized access to protected data sources through the ReqActions json field in plugin.json. If a user or service account has been granted access to any other data source, the ReqActions verification fails to restrict access to the specific data source appropriately. This requires that the account already has query access to the impacted data source, potentially exposing sensitive information or allowing unauthorized operations within Grafana.",Grafana Labs,Grafana,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-08-20T18:15:00.000Z,0 CVE-2024-5526,https://securityvulnerability.io/vulnerability/CVE-2024-5526,Server Side Request Forgery in Grafana OnCall by Grafana Labs,"Grafana OnCall, an on-call management tool designed to enhance workflows for engineers, is affected by a Server Side Request Forgery (SSRF) vulnerability in its webhook functionality. This vulnerability exists in versions prior to 1.5.2, allowing unauthorized access to internal resources through crafted requests. The issue has been addressed with a fix provided in version 1.5.2, emphasizing the importance of updating to maintain security.",Grafana,Oncall,9.1,CRITICAL,0.000910000002477318,false,,false,false,false,,,false,false,,2024-06-05T12:15:00.000Z,0 CVE-2024-1313,https://securityvulnerability.io/vulnerability/CVE-2024-1313,Grafana Vulnerability: Unauthorized Snapshot Deletion via DELETE Request,"It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.",Grafana,Grafana,6.5,MEDIUM,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-03-26T17:24:25.956Z,0 CVE-2024-1442,https://securityvulnerability.io/vulnerability/CVE-2024-1442,Granting Unrestricted Access to Data Sources Through UID," A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization. ",Grafana,Grafana,6,MEDIUM,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-03-07T17:45:43.993Z,0 CVE-2023-5122,https://securityvulnerability.io/vulnerability/CVE-2023-5122,Grafana CSV Datasource Plugin Vulnerability,"Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to a bare host with no path (e.g. https://www.example.com/ https://www.example.com/` ), requests to an endpoint other than the one configured by the administrator could be triggered by a specially crafted request from any user, resulting in an SSRF vector. AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator",Grafana,Grafana-csv-datasource,5.3,MEDIUM,0.0005000000237487257,false,,false,false,false,,,false,false,,2024-02-14T15:06:12.573Z,0 CVE-2023-5123,https://securityvulnerability.io/vulnerability/CVE-2023-5123,Grafana JSON datasource plugin vulnerability,"The JSON datasource plugin maintained by Grafana Labs allows administrators to retrieve and process JSON data from remote endpoints. However, a vulnerability exists due to insufficient sanitization of the path parameter supplied in dashboards. This flaw enables attackers to include path traversal characters, allowing requests to arbitrary subpaths on the configured endpoint. In scenarios where the datasource is set to point back to the Grafana instance, the situation escalates, potentially allowing for unauthorized access to sensitive administrative API endpoints. This vulnerability underscores the importance of robust input validation and the need for security measures in dashboard configurations.",Grafana,Grafana-json-datasource,8,HIGH,0.0004400000034365803,false,,false,false,false,,,false,false,,2024-02-14T15:06:11.126Z,0 CVE-2023-6152,https://securityvulnerability.io/vulnerability/CVE-2023-6152,Email Verification Bypassed in Profile Settings,"A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option ""verify_email_enabled"" will only validate email only on sign up. ",Grafana,"Grafana,Grafana Enterprise",5.4,MEDIUM,0.0006200000061653554,false,,false,false,false,,,false,false,,2024-02-13T21:38:01.404Z,0 CVE-2023-3010,https://securityvulnerability.io/vulnerability/CVE-2023-3010,DOM XSS Vulnerability in Grafana's WorldMap Panel Plugin,"The WorldMap panel plugin for Grafana, an open-source platform designed for monitoring and observability, is susceptible to a DOM-based cross-site scripting (XSS) vulnerability. This issue is present in versions prior to 1.0.4 of the plugin. An attacker could exploit this vulnerability, enabling them to inject malicious scripts that could execute in the context of the user's browser, potentially compromising user data and security. It is crucial for users of the plugin to upgrade to version 1.0.4 or later to mitigate the risks associated with this vulnerability.",Grafana,Worldmap-panel,6.1,MEDIUM,0.0006799999973736703,false,,false,false,false,,,false,false,,2023-10-25T08:09:48.174Z,0 CVE-2023-4399,https://securityvulnerability.io/vulnerability/CVE-2023-4399,Request Filtering Bypass in Grafana Enterprise by Grafana Labs,"Grafana Enterprise, a popular open-source monitoring and observability platform, contains a vulnerability in its Request security feature. This feature is designed to prevent access to specific hosts by utilizing a deny list approach configured by administrators. However, an exploit has been identified that allows an attacker to bypass these restrictions through the use of punycode encoding in the request address. By manipulating this encoding, unauthorized requests may be sent to hosts that were intended to be restricted, potentially leading to unauthorized data access and other security risks.",Grafana,Grafana Enterprise,7.2,HIGH,0.0008900000248104334,false,,false,false,false,,,false,false,,2023-10-17T08:15:00.000Z,0 CVE-2023-4457,https://securityvulnerability.io/vulnerability/CVE-2023-4457,Information Disclosure Vulnerability in Grafana Google Sheets Plugin,"The Google Sheets data source plugin for Grafana, specifically versions 0.9.0 to 1.2.2, contains a vulnerability that could lead to the unintentional exposure of sensitive information. This arises from improper sanitization of error messages, which may reveal the configured Google Sheet API key for the data source. Users are advised to upgrade to version 1.2.2 to mitigate this risk and protect their sensitive data.",Grafana,Google-sheets-datasource,5.5,MEDIUM,0.0013500000350177288,false,,false,false,false,,,false,false,,2023-10-16T10:15:00.000Z,0 CVE-2023-4822,https://securityvulnerability.io/vulnerability/CVE-2023-4822,Privilege Escalation in Grafana by Organization Admins,"A significant vulnerability in Grafana allows Organization Admins to manipulate user permissions across all organizations they are part of. This flaw enables an admin to elevate their own privileges and modify permissions of other users, effectively granting unauthorized control. While the vulnerability does not allow access to organizations outside the user's membership, it poses a serious risk within the existing organizational structure by allowing potential misuse of admin capabilities.",Grafana,Grafana Enterprise,7.2,HIGH,0.0008900000248104334,false,,false,false,false,,,false,false,,2023-10-16T09:15:00.000Z,0 CVE-2023-3128,https://securityvulnerability.io/vulnerability/CVE-2023-3128,Account Takeover Vulnerability in Grafana for Azure AD Accounts,"Grafana’s integration with Azure Active Directory (AD) has a vulnerability that stems from the email field in Azure AD not being unique and potentially modifiable. This flaw can lead to account takeover and authentication bypass for users who have implemented Azure AD OAuth in a multi-tenant application setup. Attackers could exploit this weakness, gaining unauthorized access to user accounts and sensitive data. It is crucial to update to the latest Grafana version to mitigate these risks.",Grafana,"Grafana,Grafana Enterprise",9.8,CRITICAL,0.0025400000158697367,false,,false,false,false,,,false,false,,2023-06-22T21:15:00.000Z,0 CVE-2023-2183,https://securityvulnerability.io/vulnerability/CVE-2023-2183,Improper Access Control in Grafana Monitoring Platform,"Grafana, a prominent open-source platform for monitoring and observability, suffers from an improper access control vulnerability. Users with the Viewer role can exploit the API to send test alerts, despite the UI restricting this action. This oversight could allow malicious actors to inundate users with spam alerts via email and Slack, potentially facilitating phishing attacks or causing disruption to SMTP servers. To mitigate this risk, users are advised to upgrade to versions 9.5.3, 9.4.12, 9.3.15, 9.2.19, or 8.5.26.",Grafana,"Grafana,Grafana Enterprise",6.4,MEDIUM,0.0008900000248104334,false,,false,false,false,,,false,false,,2023-06-06T19:15:00.000Z,0 CVE-2023-2801,https://securityvulnerability.io/vulnerability/CVE-2023-2801,Query Manipulation Vulnerability in Grafana Monitoring Platform,"Grafana, the open-source monitoring and observability platform, has a vulnerability that allows malicious users to manipulate queries through public dashboards or the query API. This manipulation can lead to the crashing of Grafana instances, disrupting service and impacting users relying on this platform for data visualization. It is crucial for users of affected versions to upgrade to Grafana 9.4.12 or 9.5.3 to mitigate this risk.",Grafana,"Grafana,Grafana Enterprise",5.3,MEDIUM,0.0012000000569969416,false,,false,false,false,,,false,false,,2023-06-06T19:15:00.000Z,0 CVE-2023-1387,https://securityvulnerability.io/vulnerability/CVE-2023-1387,Authentication Bypass in Grafana Monitoring Platform,"Grafana, an open-source monitoring and observability platform, introduced a new functionality that allows searching for a JWT in the 'auth_token' URL query parameter. This feature, when enabled via the 'url_login' configuration option (which is disabled by default), can inadvertently expose JWT tokens to data sources. If an attacker gains access to the data source, they may capture the leaked token and utilize it for authentication purposes in Grafana, potentially compromising the integrity of the system. It is critical for users to assess their configurations and ensure that unnecessary options are not enabled.",Grafana,"Grafana,Grafana Enterprise",7.5,HIGH,0.0014600000577047467,false,,false,false,false,,,false,false,,2023-04-26T14:15:00.000Z,0 CVE-2023-1410,https://securityvulnerability.io/vulnerability/CVE-2023-1410,Stored XSS in Graphite FunctionDescription tooltip,"Grafana is an open-source platform for monitoring and observability.  Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.  Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.",Grafana,"Grafana,Grafana Enterprise",4.8,MEDIUM,0.0006399999838322401,false,,false,false,false,,,false,false,,2023-03-23T08:15:00.000Z,0 CVE-2023-22462,https://securityvulnerability.io/vulnerability/CVE-2023-22462,Stored XSS in Grafana Text plugin,"Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin ""Text"". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana's database. An attacker needs to have the Editor role in order to change a Text panel to include JavaScript. Another user needs to edit the same Text panel, and click on ""Markdown"" or ""HTML"" for the code to be executed. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. This issue has been patched in versions 9.2.10 and 9.3.4.",Grafana,Grafana,6.4,MEDIUM,0.0012100000167265534,false,,false,false,false,,,false,false,,2023-03-02T01:15:00.000Z,0