Sebob

**Name of the Vulnerable Software and Affected Versions** Grafana versions prior to 9.5.3 Grafana versions prior to 9.4.12 Grafana versions prior to 9.3.15 Grafana versions prior to 9.2.19 Grafana versions prior to 8.5.26 **Description** Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. However, it is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, preparing Phishing attacks, or blocking SMTP servers. The API endpoint `/api/alertmanager/grafana/config/api/v1/receivers/test` can be exploited by users with the Viewer role, allowing them to send test alerts. The `receivers` and `alert` variables are used in this process. Malicious users can send specially crafted alert messages, potentially leading to phishing attacks or SMTP server blockage. **Recommendations** For versions prior to 9.5.3, upgrade to version 9.5.3 to receive a fix. For versions prior to 9.4.12, upgrade to version 9.4.12 to receive a fix. For versions prior to 9.3.15, upgrade to version 9.3.15 to receive a fix. For versions prior to 9.2.19, upgrade to version 9.2.19 to receive a fix. For versions prior to 8.5.26, upgrade to version 8.5.26 to receive a fix. As a temporary workaround, consider restricting access to the `/api/alertmanager/grafana/config/api/v1/receivers/test` API endpoint for users with the Viewer role. Additionally, limit the ability to send multiple e-mails to the same e-mail address per unit of time in the SMTP server configuration settings.