graphite-web@0.9.7c vulnerabilities

Enterprise scalable realtime graphing

latest version

1.1.10
first published

14 years ago
latest version published

2 years ago
licenses detected
- Apache-2.0
  [0,)
View graphite-web package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the graphite-web package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) graphite-web is a real-time graphing system. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the "Template Name" input at `http://localhost/dashboard/`. How to fix Cross-site Scripting (XSS)? A fix was pushed into the `master` branch but not yet published.	[0,)
M Cross-site Scripting (XSS) graphite-web is a real-time graphing system. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the "Absolute Time Range" input at `http://localhost/dashboard/`. How to fix Cross-site Scripting (XSS)? A fix was pushed into the `master` branch but not yet published.	[0,)
M Cross-site Scripting (XSS) graphite-web is a real-time graphing system. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the "Relative Time Range" input at `http://localhost/dashboard/`. How to fix Cross-site Scripting (XSS)? A fix was pushed into the `master` branch but not yet published.	[0,)
M Cross-site Scripting (XSS) graphite-web is a real-time graphing system. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via `setDashboardName`. How to fix Cross-site Scripting (XSS)? Upgrade `graphite-web` to version 1.1.8 or higher.	[,1.1.8)
H Server-side Request Forgery (SSRF) graphite-web is a real-time graphing system. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in `send_email` in `graphite-web/webapp/graphite/composer/views.py`. The endpoint can be used by an attacker to have the web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information. How to fix Server-side Request Forgery (SSRF)? Upgrade `graphite-web` to version 1.1.6 or higher.	[,1.1.6)
M Arbitrary Code Injection `graphite-web` is a Enterprise scalable realtime graphing The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.	[0.9.5,0.9.11)
M Arbitrary Code Injection `graphite-web` is a Enterprise scalable realtime graphing Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to (1) remote_storage.py, (2) storage.py, (3) render/datalib.py, and (4) whitelist/views.py, a different vulnerability than CVE-2013-5093.	[0.9.5,0.9.11)
M Cross-site Scripting (XSS) `graphite-web` is a Enterprise scalable realtime graphing. Multiple cross-site scripting (XSS) vulnerabilities in Graphite before 0.9.11 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.	[,0.9.11)

Go back to all versions of this package

graphite-web@0.9.7c vulnerabilities

Enterprise scalable realtime graphing

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities