Oxeye-Gal

**Name of the Vulnerable Software and Affected Versions** Alertmanager versions prior to 0.2.51 **Description** The issue is related to the improper neutralization of input data during web page generation in the /api/v1/alerts endpoint of the Alertmanager component in the Prometheus monitoring system. An attacker with permission to perform POST requests on the /api/v1/alerts endpoint could execute arbitrary JavaScript code on the users of Prometheus Alertmanager. **Recommendations** For versions prior to 0.2.51, upgrade to Alertmanager version 0.2.51. As a temporary workaround, consider setting up a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.

**Name of the Vulnerable Software and Affected Versions** OpenTSDB versions prior to 2.4.2 **Description** OpenTSDB is vulnerable to Remote Code Execution by writing user-controlled input to the Gnuplot configuration file and running Gnuplot with the generated configuration. The issue has been patched in commits `07c4641471c` and `fa88d3e4b`, which are available in the `2.4.2` release. **Recommendations** For versions prior to 2.4.2, upgrade to version 2.4.2 to resolve the issue. As a temporary workaround for users unable to upgrade, disable Gnuplot via the config option `tsd.core.enable ui = true` and remove the shell files `mygnuplot.bat` and `mygnuplot.sh`.

**Name of the Vulnerable Software and Affected Versions** EaseProbe versions prior to 2.1.0 **Description** The issue is related to an SQL injection problem in EaseProbe when using MySQL/PostgreSQL data checking. This occurs due to a lack of protection measures for the SQL query structure, allowing an attacker to execute arbitrary SQL code. The vulnerability was discovered by the Oxeye research team. **Recommendations** For versions prior to 2.1.0, upgrade to version 2.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the MySQL/PostgreSQL data checking functionality until the upgrade is applied.