prometheus-alertmanager
0.26.0-r0
5.4
CVSS V3
Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint
An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager.
Users can upgrade to Alertmanager v0.2.51.
Users can setup a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.
N/A