Richih

**Name of the Vulnerable Software and Affected Versions** Grafana versions 8.0 through 8.2.3 **Description** Grafana is an open-source platform for monitoring and observability. In affected versions, when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. **Recommendations** For versions 8.0 through 8.2.3, upgrade to version 8.2.4 as soon as possible. If you cannot upgrade, turn off the fine-grained access control using a feature flag.

**Name of the Vulnerable Software and Affected Versions** Prometheus versions prior to 2.7.1 **Description** A stored, DOM based, cross-site scripting (XSS) flaw was found. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts. **Recommendations** For versions prior to 2.7.1, update to version 2.7.1 or later to resolve the issue. As a temporary workaround, consider restricting access to crafted URLs on the Prometheus server to minimize the risk of exploitation.