Vulnerabilities > Grafana
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-10-29 | CVE-2024-10452 | Authorization Bypass Through User-Controlled Key vulnerability in Grafana 10.4.0 Organization admins can delete pending invites created in an organization they are not part of. | 2.7 |
| 2024-10-18 | CVE-2024-9264 | Command Injection vulnerability in Grafana 11.0.0 The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. | 8.8 |
| 2024-09-25 | CVE-2024-8975 | Unquoted Search Path or Element vulnerability in Grafana Alloy 1.4.0 Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1. | 7.8 |
| 2024-09-25 | CVE-2024-8996 | Unquoted Search Path or Element vulnerability in Grafana Agent Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Agent Flow: before 0.43.2 | 7.8 |
| 2024-06-05 | CVE-2024-5526 | Server-Side Request Forgery (SSRF) vulnerability in Grafana Oncall Grafana OnCall is an easy-to-use on-call management tool that will help reduce toil in on-call management through simpler workflows and interfaces that are tailored specifically for engineers. Grafana OnCall, from version 1.1.37 before 1.5.2 are vulnerable to a Server Side Request Forgery (SSRF) vulnerability in the webhook functionallity. | 9.1 |
| 2024-02-14 | CVE-2023-5122 | Server-Side Request Forgery (SSRF) vulnerability in Grafana Grafana is an open-source platform for monitoring and observability. | 5.3 |
| 2024-02-13 | CVE-2023-6152 | Incorrect Authorization vulnerability in Grafana A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up. | 5.4 |
| 2023-10-25 | CVE-2023-3010 | Cross-site Scripting vulnerability in Grafana Worldmap Panel Grafana is an open-source platform for monitoring and observability. | 6.1 |
| 2023-10-17 | CVE-2023-4399 | Unspecified vulnerability in Grafana Grafana is an open-source platform for monitoring and observability. | 7.2 |
| 2023-10-16 | CVE-2023-4457 | Information Exposure Through an Error Message vulnerability in Grafana Google Sheets Grafana is an open-source platform for monitoring and observability. The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability. The plugin did not properly sanitize error messages, making it potentially expose the Google Sheet API-key that is configured for the data source. This vulnerability was fixed in version 1.2.2. | 7.5 |