FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
e7841611-b808-11ed-b695-6c3be5272acdGrafana -- Stored XSS in TraceView panel

Grafana Labs reports:

During an internal audit of Grafana on January 30, a member of the engineering team found a stored XSS vulnerability affecting the TraceView panel.

The stored XSS vulnerability was possible because the value of a span’s attributes/resources were not properly sanitized, and this will be rendered when the span’s attributes/resources are expanded.

The CVSS score for this vulnerability is 7.3 High (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).


Discovery 2023-01-30
Entry 2023-03-01
grafana
< 8.5.21

ge 9.0.0 lt 9.2.13

ge 9.3.0 lt 9.3.8

grafana8
< 8.5.21

grafana9
ge 9.0.0 lt 9.2.13

ge 9.3.0 lt 9.3.8

CVE-2023-0594
https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/
e2a8e2bd-b808-11ed-b695-6c3be5272acdGrafana -- Stored XSS in geomap panel plugin via attribution

Grafana Labs reports:

During an internal audit of Grafana on January 25, a member of the security team found a stored XSS vulnerability affecting the core geomap plugin.

The stored XSS vulnerability was possible because map attributions weren’t properly sanitized, allowing arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.

The CVSS score for this vulnerability is 7.3 High (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).


Discovery 2023-01-25
Entry 2023-03-01
grafana
< 8.5.21

ge 9.0.0 lt 9.2.13

ge 9.3.0 lt 9.3.8

grafana8
< 8.5.21

grafana9
ge 9.0.0 lt 9.2.13

ge 9.3.0 lt 9.3.8

CVE-2023-0507
https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/
e6281d88-a7a7-11ed-8d6a-6c3be5272acdGrafana -- Spoofing originalUrl of snapshots

Grafana Labs reports:

A third-party penetration test of Grafana found a vulnerability in the snapshot functionality. The value of the originalUrl parameter is automatically generated. The purpose of the presented originalUrl parameter is to provide a user who views the snapshot with the possibility to click on the Local Snapshot button in the Grafana web UI and be presented with the dashboard that the snapshot captured. The value of the originalUrl parameter can be arbitrarily chosen by a malicious user that creates the snapshot. (Note: This can be done by editing the query thanks to a web proxy like Burp.)

We have assessed this vulnerability as having a CVSS score of 6.7 MEDIUM (CVSS:6.7/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L).


Discovery 2023-01-25
Entry 2023-02-09
grafana
ge 8.0.0 lt 8.5.16

ge 9.0.0 lt 9.2.10

ge 9.3.0 lt 9.3.4

grafana8
ge 8.0.0 lt 8.5.16

grafana9
ge 9.0.0 lt 9.2.10

ge 9.3.0 lt 9.3.4

CVE-2022-39324
https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw
ecffb881-a7a7-11ed-8d6a-6c3be5272acdGrafana -- Stored XSS in ResourcePicker component

Grafana Labs reports:

On 2022-12-16 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin GeoMap.

The stored XSS vulnerability was possible due to SVG-files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.


Discovery 2022-12-16
Entry 2023-02-09
grafana
ge 8.1.0 lt 8.5.16

ge 9.0.0 lt 9.2.10

ge 9.3.0 lt 9.3.4

grafana8
ge 8.1.0 lt 8.5.16

grafana9
ge 9.0.0 lt 9.2.10

ge 9.3.0 lt 9.3.4

CVE-2022-23552
https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv
955eb3cc-ce0b-11ed-825f-6c3be5272acdGrafana -- Stored XSS in Graphite FunctionDescription tooltip

Grafana Labs reports:

When a user adds a Graphite data source, they can then use the data source in a dashboard. This capability contains a feature to use Functions. Once a function is selected, a small tooltip appears when hovering over the name of the function. This tooltip allows you to delete the selected Function from your query or show the Function Description. However, no sanitization is done when adding this description to the DOM.

Since it is not uncommon to connect to public data sources, an attacker could host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.

The severity of this vulnerability is of CVSSv3.1 5.7 Medium (CVSS: AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N (5.7)).


Discovery 2023-03-14
Entry 2023-03-29
grafana
< 8.5.22

ge 9.0.0 lt 9.2.15

ge 9.3.0 lt 9.3.11

ge 9.4.0 lt 9.4.7

grafana8
< 8.5.22

grafana9
< 9.2.15

ge 9.3.0 lt 9.3.11

ge 9.4.0 lt 9.4.7

CVE-2023-1410
https://grafana.com/security/security-advisories/cve-2023-1410/
0b85b1cd-e468-11ed-834b-6c3be5272acdGrafana -- Critical vulnerability in golang

Grafana Labs reports:

An issue in how go handles backticks (`) with Javascript can lead to an injection of arbitrary code into go templates. While Grafana Labs software contains potentially vulnerable versions of go, we have not identified any exploitable use cases at this time.

The CVSS score for this vulnerability is 0.0 (adjusted), 9.8 (base).


Discovery 2023-04-19
Entry 2023-04-26
grafana
< 8.5.24

ge 9.0.0 lt 9.2.17

ge 9.3.0 lt 9.3.13

ge 9.4.0 lt 9.4.9

grafana8
< 8.5.24

grafana9
< 9.2.17

ge 9.3.0 lt 9.3.13

ge 9.4.0 lt 9.4.9

CVE-2023-24538
https://grafana.com/blog/2023/04/26/precautionary-patches-for-grafana-released-following-critical-go-vulnerability-cve-2023-24538/