CVE-2023-40577 HIGH

CVE-2023-40577: Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint

Vendor Prometheus
Product alertmanager
Weakness CWE-79 · XSS
Published August 25, 2023
Last update February 13, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in Alertmanager version 0.2.51.

Key dates

02Disclosure timeline

August 25, 2023 CVE published
February 13, 2025 Record updated