CVE-2018-12099
published 2018-06-11CVE-2018-12099: Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.
PriorityP424medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
2.07%
79.1th percentile
Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 0 < 6.0.0-beta1 | 6.0.0-beta1 |
| github.com | grafana_grafana | >= 0 < 7.0.0 | 7.0.0 |
| github.com | grafana_grafana | >= 0 < 5.2.0-beta1 | 5.2.0-beta1 |
| github.com | grafana_grafana | >= 0 < 5.2.0-beta1+incompatible | 5.2.0-beta1+incompatible |
| grafana | grafana | <= 5.1.3 | — |
| grafana | grafana | — | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa6.1MEDIUM
osv6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana
osv·2024-06-28
CVE-2018-12099 Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana
Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana
Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana
GHSA
Grafana Cross-site Scripting (XSS)
ghsa·2024-01-31
CVE-2018-12099 [MEDIUM] CWE-79 Grafana Cross-site Scripting (XSS)
Grafana Cross-site Scripting (XSS)
Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.
OSV
Grafana Cross-site Scripting (XSS)
osv·2024-01-31
CVE-2018-12099 [MEDIUM] Grafana Cross-site Scripting (XSS)
Grafana Cross-site Scripting (XSS)
Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.
GHSA
Grafana XSS via adding a link in General feature
ghsa·2024-01-30·CVSS 6.1
CVE-2018-18625 [MEDIUM] CWE-79 Grafana XSS via adding a link in General feature
Grafana XSS via adding a link in General feature
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
OSV
Grafana XSS in Dashboard Text Panel
osv·2024-01-30·CVSS 6.1
CVE-2018-18623 [MEDIUM] Grafana XSS in Dashboard Text Panel
Grafana XSS in Dashboard Text Panel
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
OSV
Grafana XSS via adding a link in General feature
osv·2024-01-30·CVSS 6.1
CVE-2018-18625 [MEDIUM] Grafana XSS via adding a link in General feature
Grafana XSS via adding a link in General feature
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
GHSA
Grafana XSS in Dashboard Text Panel
ghsa·2024-01-30·CVSS 6.1
CVE-2018-18623 [MEDIUM] CWE-79 Grafana XSS in Dashboard Text Panel
Grafana XSS in Dashboard Text Panel
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
GHSA
Grafana XSS via a column style
ghsa·2022-05-24·CVSS 6.1
CVE-2018-18624 [MEDIUM] CWE-79 Grafana XSS via a column style
Grafana XSS via a column style
Grafana has a XSS vulnerability via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
OSV
Grafana XSS via a column style
osv·2022-05-24·CVSS 6.1
CVE-2018-18624 [MEDIUM] Grafana XSS via a column style
Grafana XSS via a column style
Grafana has a XSS vulnerability via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
OSV
CVE-2018-18625: Grafana 5
osv·2020-06-02·CVSS 6.1
CVE-2018-18625 [MEDIUM] CVE-2018-18625: Grafana 5
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
OSV
CVE-2018-18623: Grafana 5
osv·2020-06-02·CVSS 6.1
CVE-2018-18623 [MEDIUM] CVE-2018-18623: Grafana 5
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
OSV
CVE-2018-18624: Grafana 5
osv·2020-06-02·CVSS 6.1
CVE-2018-18624 [MEDIUM] CVE-2018-18624: Grafana 5
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
OSV
CVE-2018-12099: Grafana before 5
osv·2018-06-11·CVSS 6.1
CVE-2018-12099 [MEDIUM] CVE-2018-12099: Grafana before 5
Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.
Red Hat
grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen
vendor_redhat·2020-06-02·CVSS 6.1
CVE-2018-18625 [MEDIUM] CWE-79 grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen
grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
A flaw was found in grafana. An incomplete fix for CVE-2018-12099 allows for a XSS via a column style on the "Dashboard > All Panels > General" screen.
Statement: While OpenShift 3.11 grafana-container packages a vulnerable version of grafana, the dashboard is set to read-only meaning that the vulnerable component cannot be added or modified to contain the potential XSS. As OpenShift still packages the vulnerable code, the component is affected but with impact Low.
In OpenShift ServiceMesh 1.0 the grafana component is a vulnerable version, however
Red Hat
grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
vendor_redhat·2020-06-02·CVSS 6.1
CVE-2018-18624 [MEDIUM] CWE-79 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
A flaw was found in grafana. An incomplete fix for CVE-2018-12099 allows for a XSS via a column style on the "Dashboard > Table Panel" screen.
Statement: Both OpenShift 3.11 and 4.x grafana-container's package a vulnerable version of grafana. However the grafana instance is set to read-only meaning that the potential XSS attack cannot be performed as the table panel cannot be modified or added. As OpenShift still packages the vulnerable code, the components are affected but with impact Low.
In OpenShift ServiceMesh the grafana component is a vulnerab
Red Hat
grafana: XSS vulnerability via the "Dashboard > Text Panel" screen
vendor_redhat·2020-06-02·CVSS 6.1
CVE-2018-18623 [MEDIUM] CWE-79 grafana: XSS vulnerability via the "Dashboard > Text Panel" screen
grafana: XSS vulnerability via the "Dashboard > Text Panel" screen
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
A flaw was found in grafana. An incomplete fix for CVE-2018-12099 allows for a XSS in the "Dashboard > Text Panel" screen.
Statement: While OpenShift 3.11 grafana-container packages a vulnerable version of grafana, the dashboard is set to read-only meaning that the vulnerable component cannot be added or modified to contain the potential XSS. As the OpenShift version still packages vulnerable code, the impact is set Low.
Package: servicemesh-grafana (OpenShift Service Mesh 1) - Not affected
Package: grafana (Red Hat Ceph Storage 2) - Out of support scope
Package: rhceph/rhceph-4-dashb
Red Hat
grafana: Cross-site Scripting (XSS) in dashboard links
vendor_redhat·2018-05-08·CVSS 6.1
CVE-2018-12099 [MEDIUM] CWE-79 grafana: Cross-site Scripting (XSS) in dashboard links
grafana: Cross-site Scripting (XSS) in dashboard links
Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.
Package: grafana (Red Hat Ceph Storage 2) - Will not fix
Package: grafana (Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Operational Tools) - Not affected
Package: grafana (Red Hat OpenStack Platform 8 (Liberty) Operational Tools) - Not affected
Package: grafana (Red Hat OpenStack Platform 9 (Mitaka) Operational Tools) - Not affected
Package: grafana (Red Hat Storage 3) - Will not fix
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-18625 grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen
bugzilla·2020-06-24·CVSS 6.1
CVE-2018-18625 [MEDIUM] CVE-2018-18625 grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen
CVE-2018-18625 grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
https://github.com/grafana/grafana/pull/11813
https://security.netapp.com/advisory/ntap-20200608-0008/
Discussion:
Created grafana tracking bugs for this issue:
Affects: fedora-all [bug 1850584]
---
This vulnerability actually applies to the "dashboard" field at "Home > Edit Panel > Add Link > General > Dashboard" after the dashboard title has been set: https://github.com/grafana/grafana/pull/11813#issuecomment-458000030
---
OpenShift packages a vulnerable version of grafana:
- OpenShift 3.11 grafana v5.2.3
ServiceMesh also pa
Bugzilla
CVE-2018-18623 grafana: XSS vulnerability via the "Dashboard > Text Panel" screen
bugzilla·2020-06-24·CVSS 6.1
CVE-2018-18623 [MEDIUM] CVE-2018-18623 grafana: XSS vulnerability via the "Dashboard > Text Panel" screen
CVE-2018-18623 grafana: XSS vulnerability via the "Dashboard > Text Panel" screen
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
https://github.com/grafana/grafana/pull/11813
https://security.netapp.com/advisory/ntap-20200608-0008/
Discussion:
Created grafana tracking bugs for this issue:
Affects: fedora-all [bug 1850570]
---
Upstream commit: https://github.com/grafana/grafana/pull/14984/commits/15d560a1c01f5bfb354f83183886881554026bb8
Looks like that is the patch given the comment: https://github.com/grafana/grafana/pull/11813#issuecomment-458045266
The patch got included in the major release of v6.0.0 as well.
---
OpenShift 3.11 grafana-container packages a vulnerable version of grafana 5.
Bugzilla
CVE-2018-18624 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
bugzilla·2020-06-24·CVSS 6.1
CVE-2018-18624 [MEDIUM] CVE-2018-18624 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
CVE-2018-18624 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
https://github.com/grafana/grafana/pull/11813
https://security.netapp.com/advisory/ntap-20200608-0008/
Discussion:
Created grafana tracking bugs for this issue:
Affects: fedora-all [bug 1850573]
---
Upstream commit: https://github.com/grafana/grafana/commit/0284747c88eb9435899006d26ffaf65f89dec88e
---
ServiceMesh packages a vulnerable version of grafana v6.4.3 in the openshift-service-mesh/grafana-rhel8 container.
---
upstream PR: https://github.com/grafana/grafana/pull/23816
---
Statement:
Both OpenShift 3.11 and 4.x grafan
Bugzilla
CVE-2018-12099 grafana: Cross-site Scripting (XSS) in dashboard links
bugzilla·2018-06-11·CVSS 6.1
CVE-2018-12099 [MEDIUM] CVE-2018-12099 grafana: Cross-site Scripting (XSS) in dashboard links
CVE-2018-12099 grafana: Cross-site Scripting (XSS) in dashboard links
A flaw was found in Grafana before 5.2.0-beta1 has cross-site scripting vulnerabilities in the dashboard links when using html with XSS as a link title.
References:
https://github.com/grafana/grafana/pull/11813
Discussion:
The version of Grafana (grafana-2.0.2-3.el7ost) that is shipped in OpenStack Optools (7, 8 & 9) does not contain the vulnerable code or the feature being exploited.
https://github.com/grafana/grafana/pull/11813https://github.com/grafana/grafana/releases/tag/v5.2.0-beta1https://security.netapp.com/advisory/ntap-20190416-0004/https://github.com/grafana/grafana/pull/11813https://github.com/grafana/grafana/releases/tag/v5.2.0-beta1https://security.netapp.com/advisory/ntap-20190416-0004/
2018-06-11
Published