Oxeye-Daniel

**Name of the Vulnerable Software and Affected Versions** Alertmanager versions prior to 0.2.51 **Description** The issue is related to the improper neutralization of input data during web page generation in the /api/v1/alerts endpoint of the Alertmanager component in the Prometheus monitoring system. An attacker with permission to perform POST requests on the /api/v1/alerts endpoint could execute arbitrary JavaScript code on the users of Prometheus Alertmanager. **Recommendations** For versions prior to 0.2.51, upgrade to Alertmanager version 0.2.51. As a temporary workaround, consider setting up a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.

**Name of the Vulnerable Software and Affected Versions** OpenTSDB versions prior to 2.4.2 **Description** OpenTSDB is vulnerable to Remote Code Execution by writing user-controlled input to the Gnuplot configuration file and running Gnuplot with the generated configuration. The issue has been patched in commits `07c4641471c` and `fa88d3e4b`, which are available in the `2.4.2` release. **Recommendations** For versions prior to 2.4.2, upgrade to version 2.4.2 to resolve the issue. As a temporary workaround for users unable to upgrade, disable Gnuplot via the config option `tsd.core.enable ui = true` and remove the shell files `mygnuplot.bat` and `mygnuplot.sh`.

**Name of the Vulnerable Software and Affected Versions** EaseProbe versions prior to 2.1.0 **Description** The issue is related to an SQL injection problem in EaseProbe when using MySQL/PostgreSQL data checking. This occurs due to a lack of protection measures for the SQL query structure, allowing an attacker to execute arbitrary SQL code. The vulnerability was discovered by the Oxeye research team. **Recommendations** For versions prior to 2.1.0, upgrade to version 2.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the MySQL/PostgreSQL data checking functionality until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** vm2 versions prior to 3.9.11 **Description** The issue is related to insufficient resource control with dynamic management in the vm2 library, allowing a remote attacker to execute arbitrary code by bypassing sandbox protections. The vulnerability affects the vm2 sandbox, which can run untrusted code with whitelisted Node's built-in modules. It is estimated that over 500 instances of Backstage, a popular developer portal, are vulnerable to this issue, with many of them accessible without authentication due to default deployment settings. The vulnerability was patched in version 3.9.11 of vm2. **Recommendations** For versions prior to 3.9.11, update to version 3.9.11 or later to resolve the issue. As a temporary workaround, consider disabling the use of the vm2 sandbox until a patch is applied. Restrict access to the vm2 module to minimize the risk of exploitation. Avoid using the vm2 sandbox to run untrusted code until the issue is resolved.