CVE-2018-18624
published 2020-06-02CVE-2018-18624: Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
PriorityP423medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.40%
69.1th percentile
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 0 < 7.0.0 | 7.0.0 |
| grafana | grafana | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa6.1MEDIUM
osv6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana XSS via a column style in github.com/grafana/grafana
osv·2024-06-28
CVE-2018-18624 Grafana XSS via a column style in github.com/grafana/grafana
Grafana XSS via a column style in github.com/grafana/grafana
Grafana XSS via a column style in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana before v7.0.0.
GHSA
Grafana XSS via a column style
ghsa·2022-05-24·CVSS 6.1
CVE-2018-18624 [MEDIUM] CWE-79 Grafana XSS via a column style
Grafana XSS via a column style
Grafana has a XSS vulnerability via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
OSV
Grafana XSS via a column style
osv·2022-05-24·CVSS 6.1
CVE-2018-18624 [MEDIUM] Grafana XSS via a column style
Grafana XSS via a column style
Grafana has a XSS vulnerability via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
OSV
CVE-2018-18624: Grafana 5
osv·2020-06-02·CVSS 6.1
CVE-2018-18624 [MEDIUM] CVE-2018-18624: Grafana 5
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
Red Hat
grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
vendor_redhat·2020-06-02·CVSS 6.1
CVE-2018-18624 [MEDIUM] CWE-79 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
A flaw was found in grafana. An incomplete fix for CVE-2018-12099 allows for a XSS via a column style on the "Dashboard > Table Panel" screen.
Statement: Both OpenShift 3.11 and 4.x grafana-container's package a vulnerable version of grafana. However the grafana instance is set to read-only meaning that the potential XSS attack cannot be performed as the table panel cannot be modified or added. As OpenShift still packages the vulnerable code, the components are affected but with impact Low.
In OpenShift ServiceMesh the grafana component is a vulnerab
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-18624 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen [fedora-all]
bugzilla·2020-06-24·CVSS 6.1
CVE-2018-18624 [MEDIUM] CVE-2018-18624 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen [fedora-all]
CVE-2018-18624 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue
Bugzilla
CVE-2018-18624 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
bugzilla·2020-06-24·CVSS 6.1
CVE-2018-18624 [MEDIUM] CVE-2018-18624 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
CVE-2018-18624 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
https://github.com/grafana/grafana/pull/11813
https://security.netapp.com/advisory/ntap-20200608-0008/
Discussion:
Created grafana tracking bugs for this issue:
Affects: fedora-all [bug 1850573]
---
Upstream commit: https://github.com/grafana/grafana/commit/0284747c88eb9435899006d26ffaf65f89dec88e
---
ServiceMesh packages a vulnerable version of grafana v6.4.3 in the openshift-service-mesh/grafana-rhel8 container.
---
upstream PR: https://github.com/grafana/grafana/pull/23816
---
Statement:
Both OpenShift 3.11 and 4.x grafan
2020-06-02
Published