CVE-2022-26148
9.8
CRITICAL
CVSS 3.1
EPSS 87.2%
Description
An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.
How to fix CVE-2022-26148
To remediate CVE-2022-26148, upgrade the affected package to a fixed version below.
- —upgrade to 7.3.5 or later
Is CVE-2022-26148 being exploited?
Likely — EPSS is 87.2%, placing CVE-2022-26148 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- from 0, < 7.3.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |