Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint
Moderate severity
GitHub Reviewed
Published
Aug 23, 2023
in
prometheus/alertmanager
•
Updated Nov 12, 2023
Package
Affected versions
<= 0.25.0
Patched versions
0.25.1
Description
Published to the GitHub Advisory Database
Aug 23, 2023
Reviewed
Aug 23, 2023
Published by the National Vulnerability Database
Aug 25, 2023
Last updated
Nov 12, 2023
Impact
An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager.
Patches
Users can upgrade to Alertmanager v0.2.51.
Workarounds
Users can setup a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.
References
N/A
References