Vulnerabilities > Grafana
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-10-29 | CVE-2024-10452 | Authorization Bypass Through User-Controlled Key vulnerability in Grafana 10.4.0 Organization admins can delete pending invites created in an organization they are not part of. | 2.7 |
| 2024-10-18 | CVE-2024-9264 | Command Injection vulnerability in Grafana 11.0.0 The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. | 8.8 |
| 2024-09-25 | CVE-2024-8975 | Unquoted Search Path or Element vulnerability in Grafana Alloy Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1. | 7.8 |
| 2024-09-25 | CVE-2024-8996 | Unquoted Search Path or Element vulnerability in Grafana Agent Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Agent Flow: before 0.43.2 | 7.8 |
| 2024-06-05 | CVE-2024-5526 | Server-Side Request Forgery (SSRF) vulnerability in Grafana Oncall Grafana OnCall is an easy-to-use on-call management tool that will help reduce toil in on-call management through simpler workflows and interfaces that are tailored specifically for engineers. Grafana OnCall, from version 1.1.37 before 1.5.2 are vulnerable to a Server Side Request Forgery (SSRF) vulnerability in the webhook functionallity. | 9.1 |
| 2024-03-07 | CVE-2024-1442 | Unspecified vulnerability in Grafana A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization. | 8.8 |
| 2024-02-14 | CVE-2023-5122 | Server-Side Request Forgery (SSRF) vulnerability in Grafana Grafana is an open-source platform for monitoring and observability. | 5.3 |
| 2024-02-13 | CVE-2023-6152 | Incorrect Authorization vulnerability in Grafana A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up. | 5.4 |
| 2023-10-25 | CVE-2023-3010 | Cross-site Scripting vulnerability in Grafana Worldmap Panel Grafana is an open-source platform for monitoring and observability. | 6.1 |
| 2023-10-17 | CVE-2023-4399 | Unspecified vulnerability in Grafana Grafana is an open-source platform for monitoring and observability. | 7.2 |