Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint
Discription
### Impact
An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager.
### Patches
Users can upgrade to Alertmanager v0.2.51.
### Workarounds
Users can setup a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.
### References
N/ARead More
References
Back to Main