CVE-2023-40577

HIGH

Alertmanager < 0.25.1 - Cross-Site Scripting via /api/v1/alerts Endpoint

Title source: llm

Description

Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in Alertmanager version 0.2.51.

References (2)

Core 2

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00011.html

Vendor Advisory x_refsource_confirm

https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j

Scores

CVSS v3 7.5

EPSS 0.0358

EPSS Percentile 87.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

debian/debian_linux 10.0

prometheus/alertmanager 0.25.0

prometheus/alertmanager 0 - 0.25.1Go

Published Aug 25, 2023

Tracked Since Feb 18, 2026