{"id":"CVE-2023-40577","summary":"Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint","details":"Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in Alertmanager version 0.2.51.","aliases":["BIT-alertmanager-2023-40577","GHSA-v86x-5fm3-5p7j","GO-2023-2020"],"modified":"2026-04-02T09:18:44.785527Z","published":"2023-08-25T00:12:13.045Z","related":["CGA-6v29-m49g-qxff","SUSE-SU-2024:0191-1","SUSE-SU-2024:0486-1","SUSE-SU-2024:0512-1","openSUSE-SU-2024:13599-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40577.json","cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00011.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40577.json"},{"type":"ADVISORY","url":"https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40577"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/prometheus/alertmanager","events":[{"introduced":"0"},{"last_affected":"258fab7cdd551f2cf251ed0348f0ad7289aee789"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.25.0"}]}}],"versions":["0.0.1","0.0.2","0.0.3","0.0.4","0.1.0","0.1.0-alpha","0.1.0-beta0","0.1.0-beta1","0.1.0-beta2","0.1.0beta2","0.1.1","0.2.0","0.2.1","v0.10.0","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.15.0","v0.15.0-rc.0","v0.15.0-rc.1","v0.15.0-rc.2","v0.15.0-rc.3","v0.15.1","v0.15.2","v0.15.3","v0.16.0","v0.16.0-alpha.0","v0.16.0-beta.0","v0.16.1","v0.16.2","v0.17.0","v0.18.0","v0.18.0-rc.0","v0.19.0","v0.19.0-rc.0","v0.20.0","v0.20.0-rc.0","v0.21.0","v0.21.0-rc.0","v0.22.0","v0.22.0-rc.0","v0.22.0-rc.1","v0.22.0-rc.2","v0.22.1","v0.22.2","v0.23.0","v0.23.0-rc.0","v0.24.0","v0.24.0-rc.0","v0.25.0","v0.25.0-rc.0","v0.25.0-rc.1","v0.25.0-rc.2","v0.3.0","v0.4.0","v0.4.1","v0.4.2","v0.5.0","v0.5.0-alpha.0","v0.5.0-beta.0","v0.5.1","v0.6.0","v0.6.1","v0.6.2","v0.7.0","v0.7.0-rc.0","v0.7.1","v0.8.0","v0.9.0","v0.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40577.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}