A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.
Prometheus versions from 2.1.0 and before 2.7.1 are vulnerable to a stored DOM based cross-site scripting (XSS) attack. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for malicious code to run and remain in the browser's local storage.
Upstream Pull Request:
Created golang-github-prometheus-prometheus tracking bugs for this issue:
Affects: epel-6 [bug 1672867]
Affects: fedora-all [bug 1672866]
Prometheus Cluster Monitoring was a Technology Preview feature before OpenShift Container Platform 3.11.