CVE-2018-1000816 — Cross-site Scripting in Grafana Grafana

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

0.4%

top 36.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Grafana Grafana Grafana

Timeline

PublishedDec 20

Latest updateMay 14

Description

Grafana version confirmed for 5.2.4 and 5.3.0 contains a Cross Site Scripting (XSS) vulnerability in Influxdb and Graphite query editor that can result in Running arbitrary js code in victims browser.. This attack appear to be exploitable via Authenticated user must click on the input field where the payload was previously inserted..

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶Gogithub.com/grafana_grafana< 5.3.2

▶NVDgrafana/grafana5.2.4, 5.3.0+1

🔴Vulnerability Details

OSV

Grafana XSS Vulnerability↗2022-05-14

▶

GHSA

Grafana XSS Vulnerability↗2022-05-14

▶

OSV

CVE-2018-1000816: Grafana version confirmed for 5↗2018-12-20

▶

CVEList

CVE-2018-1000816: Grafana version confirmed for 5↗2018-12-20

▶

📋Vendor Advisories

Red Hat

grafana: Cross site scripting in Influxdb and Graphite query editor↗2018-10-14

▶

💬Community

Bugzilla

CVE-2018-1000816 grafana: Cross site scripting in Influxdb and Graphite query editor↗2018-12-21

▶