Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint

Main / Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint

Discription

### Impact

An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager.

### Patches

Users can upgrade to Alertmanager v0.2.51.

### Workarounds

Users can setup a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.

### References

N/ARead More

References

Back to Main

Subscribe for the latest news: