← back
CVE-2023-40577

Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint

CVSS 7.5 HIGHEPSS 0.6%CWE-79
Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in Alertmanager version 0.2.51.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
prometheus · alertmanager

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7jhttps://lists.debian.org/debian-lts-announce/2023/10/msg00011.html