Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Grafana Missing Authentication for Critical Function Vulnerability (CVE-2022-28660)

Description

The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is used. Versions 1.2.1, 1.3.1, and 1.4.0 contain the bugfix. This affects -auth.type=enterprise in microservices mode

Remediation

References

Related Vulnerabilities

Moodle Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2016-5013)

WordPress Plugin Ad Blocker Notify Lite Cross-Site Scripting (2.4.0)

WordPress Plugin Quiz and Survey Master (QSM)-Easy Quiz and Survey Maker SQL Injection (9.0.1)

WordPress Plugin DiveBook Multiple Vulnerabilities (1.1.4)

WordPress Plugin Smart Forms-when you need more than just a contact form Security Bypass (2.6.84)

Severity

Critical

Classification

CVE-2022-28660 CWE-306 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities