CVE-2018-18625
published 2020-06-02CVE-2018-18625: Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
PriorityP424medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.19%
64.1th percentile
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 0 < 6.0.0-beta1 | 6.0.0-beta1 |
| github.com | grafana_grafana | >= 0 < 6.0.0-beta1+incompatible | 6.0.0-beta1+incompatible |
| grafana | grafana | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa6.1MEDIUM
osv6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana XSS via adding a link in General feature in github.com/grafana/grafana
osv·2024-06-28
CVE-2018-18625 Grafana XSS via adding a link in General feature in github.com/grafana/grafana
Grafana XSS via adding a link in General feature in github.com/grafana/grafana
Grafana XSS via adding a link in General feature in github.com/grafana/grafana
GHSA
Grafana XSS via adding a link in General feature
ghsa·2024-01-30·CVSS 6.1
CVE-2018-18625 [MEDIUM] CWE-79 Grafana XSS via adding a link in General feature
Grafana XSS via adding a link in General feature
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
OSV
Grafana XSS via adding a link in General feature
osv·2024-01-30·CVSS 6.1
CVE-2018-18625 [MEDIUM] Grafana XSS via adding a link in General feature
Grafana XSS via adding a link in General feature
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
OSV
CVE-2018-18625: Grafana 5
osv·2020-06-02·CVSS 6.1
CVE-2018-18625 [MEDIUM] CVE-2018-18625: Grafana 5
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
Red Hat
grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen
vendor_redhat·2020-06-02·CVSS 6.1
CVE-2018-18625 [MEDIUM] CWE-79 grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen
grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
A flaw was found in grafana. An incomplete fix for CVE-2018-12099 allows for a XSS via a column style on the "Dashboard > All Panels > General" screen.
Statement: While OpenShift 3.11 grafana-container packages a vulnerable version of grafana, the dashboard is set to read-only meaning that the vulnerable component cannot be added or modified to contain the potential XSS. As OpenShift still packages the vulnerable code, the component is affected but with impact Low.
In OpenShift ServiceMesh 1.0 the grafana component is a vulnerable version, however
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-18625 grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen
bugzilla·2020-06-24·CVSS 6.1
CVE-2018-18625 [MEDIUM] CVE-2018-18625 grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen
CVE-2018-18625 grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
https://github.com/grafana/grafana/pull/11813
https://security.netapp.com/advisory/ntap-20200608-0008/
Discussion:
Created grafana tracking bugs for this issue:
Affects: fedora-all [bug 1850584]
---
This vulnerability actually applies to the "dashboard" field at "Home > Edit Panel > Add Link > General > Dashboard" after the dashboard title has been set: https://github.com/grafana/grafana/pull/11813#issuecomment-458000030
---
OpenShift packages a vulnerable version of grafana:
- OpenShift 3.11 grafana v5.2.3
ServiceMesh also pa
Bugzilla
CVE-2018-18625 grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen [fedora-all]
bugzilla·2020-06-24·CVSS 6.1
CVE-2018-18625 [MEDIUM] CVE-2018-18625 grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen [fedora-all]
CVE-2018-18625 grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issu
Bugzilla
CVE-2018-18625 grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen [fedora-all]
bugzilla·2020-06-24·CVSS 6.1
CVE-2018-18625 [MEDIUM] CVE-2018-18625 grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen [fedora-all]
CVE-2018-18625 grafana: XSS vulnerability via a link on the "Dashboard > All Panels > General" screen [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issu
2020-06-02
Published