Date | CVE | Title |
---|
November 12, 2024 | CVE-2024-9476 | Privilege escalation vulnerability for Organizations in Grafana |
October 28, 2024 | CVE-2024-10452 | Org admins can delete pending invites in different org |
October 17, 2024 | CVE-2024-9264 | Grafana SQL Expressions allow for remote code execution |
September 26, 2024 | CVE-2024-8118 | Grafana alerting wrong permission on datasource rule write endpoint |
September 25, 2024 | CVE-2024-8996 | Grafana Agent flow mode unquoted service path |
September 25, 2024 | CVE-2024-8975 | Grafana Alloy unquoted service path |
September 19, 2024 | CVE-2024-8986 | Information Leakage in grafana-plugin-sdk-go |
July 23, 2024 | CVE-2024-6322 | Grafana plugins route actions are not scoped to instance |
May 30, 2024 | CVE-2024-5526 | Grafana OnCall Webhook SSRF |
March 26, 2024 | CVE-2024-1313 | Users outside an organization can delete a snapshot with its key |
March 7, 2024 | CVE-2024-1442 | User with permissions to create a data source can CRUD all data sources |
February 14, 2024 | CVE-2023-5123 | Improper Path Sanitization in JSON Datasource Plugin |
February 14, 2024 | CVE-2023-5122 | SSRF in CSV Datasource Plugin |
February 13, 2024 | CVE-2023-6152 | Email verification is not required after email change |
October 12, 2023 | CVE-2023-4399 | Grafana Enterprise datasource network restrictions bypass |
October 12, 2023 | CVE-2023-4822 | Grafana org admins can modify permissions across all orgs |
September 19, 2023 | CVE-2023-4457 | Google Sheets data source plugin - API key leaks in error messages |
June 22, 2023 | CVE-2023-3128 | Grafana authentication bypass using Azure AD OAuth |
June 8, 2023 | CVE-2023-3010 | Grafana WorldMap Panel Plugin DOM XSS |
June 6, 2023 | CVE-2023-2183 | Broken Access Control in Alert manager |
June 6, 2023 | CVE-2023-2801 | Grafana ds proxy race condition |
April 26, 2023 | CVE-2023-1387 | JWT URL-login flow leaks token to data sources through request parameter in proxy requests |
March 22, 2023 | CVE-2023-1410 | Stored XSS in Graphite FunctionDescription tooltip |
February 28, 2023 | CVE-2023-0594 | Stored XSS in TraceView Panel |
February 28, 2023 | CVE-2023-22462 | Text panel plugin XSS |
February 28, 2023 | CVE-2023-0507 | XSS In Geomap Via Attribution |
February 1, 2023 | CVE-2022-23498 | Use of Cache Containing Sensitive Information |
January 26, 2023 | CVE-2022-39324 | Spoofing originalUrl of snapshots |
January 26, 2023 | CVE-2022-23552 | Stored XSS in ResourcePicker component |
November 8, 2022 | CVE-2022-39306 | Email addresses and usernames can not be trusted |
November 8, 2022 | CVE-2022-39328 | Race condition allowing privilege escalation |
November 8, 2022 | CVE-2022-39307 | User enumeration via forget password |
October 12, 2022 | CVE-2022-39201 | Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins |
October 12, 2022 | CVE-2022-31130 | Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins |
October 12, 2022 | CVE-2022-31123 | Plugin signature bypass |
October 12, 2022 | CVE-2022-39229 | Using email as a username can block other users from signing in |
September 20, 2022 | CVE-2022-35957 | Escalation from admin to server admin when auth proxy is used |
September 20, 2022 | CVE-2022-36062 | Grafana folders admin only permission privilege escalation |
August 30, 2022 | CVE-2022-31176 | Grafana Image Renderer leaking files |
July 14, 2022 | CVE-2022-31107 | Grafana account takeover via OAuth vulnerability |
July 14, 2022 | CVE-2022-31097 | Stored XSS in Unified Alerting |
May 19, 2022 | CVE-2022-29170 | Grafana Enterprise datasource network restrictions bypass via HTTP redirects |
April 12, 2022 | CVE-2022-24812 | Grafana Enterprise fine-grained access control API Key privilege escalation |
February 8, 2022 | CVE-2022-21703 | Grafana Cross Site Request Forgery |
February 8, 2022 | CVE-2022-21702 | Grafana proxy XSS |
February 8, 2022 | CVE-2022-21713 | Grafana Teams API IDOR |
January 18, 2022 | CVE-2022-21673 | Forward OAuth Identity Token can allow users to access some data sources |