GHSA-3m87-5598-2v4f

Suggest an improvement
Source
https://github.com/advisories/GHSA-3m87-5598-2v4f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-3m87-5598-2v4f/GHSA-3m87-5598-2v4f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3m87-5598-2v4f
Related
Withdrawn
2023-12-18T20:53:30Z
Published
2023-12-13T21:26:54Z
Modified
2023-12-18T20:53:30Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Withdrawn Advisory: Prometheus XSS Vulnerability
Details

Withdrawn Advisory

This advisory has been withdrawn because the vulnerability does not apply to the Prometheus golang package. This link is maintained to preserve external references.

Original Description

A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-13T21:26:54Z"
}
References

Affected packages

Go / github.com/prometheus/prometheus

Package

Name
github.com/prometheus/prometheus
View open source insights on deps.dev
Purl
pkg:golang/github.com/prometheus/prometheus

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.1