Headline
GHSA-v86x-5fm3-5p7j: Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint
Impact
An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager.
Patches
Users can upgrade to Alertmanager v0.2.51.
Workarounds
Users can setup a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.
References
N/A
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-v86x-5fm3-5p7j
Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint
High severity GitHub Reviewed Published Aug 23, 2023 in prometheus/alertmanager • Updated Aug 23, 2023
Package
gomod github.com/prometheus/alertmanager (Go)
Affected versions
<= 0.25.0
Impact
An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager.
Patches
Users can upgrade to Alertmanager v0.2.51.
Workarounds
Users can setup a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.
References
N/A
References
- GHSA-v86x-5fm3-5p7j
Published to the GitHub Advisory Database
Aug 23, 2023
Last updated
Aug 23, 2023