cbcvebase.

Github.Com Grafana Grafana vulnerabilities

61 known vulnerabilities affecting github.com/grafana_grafana.

Total CVEs
61
CISA KEV
2
actively exploited
Public exploits
9
Exploited in wild
6
Severity breakdown
CRITICAL5HIGH18MEDIUM35LOW3

Vulnerabilities

Page 3 of 4
CVE-2018-18623P4MEDIUMCVSS 6.1≥ 0, < 6.0.0-beta12024-01-30
CVE-2018-18623 [MEDIUM] CWE-79 Grafana XSS in Dashboard Text Panel Grafana XSS in Dashboard Text Panel Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
ghsaosv
CVE-2020-24303P4MEDIUM≥ 0, < 7.1.0-beta12022-05-24
CVE-2020-24303 [MEDIUM] CWE-79 Grafana XSS via a query alias for the ElasticSearch datasource Grafana XSS via a query alias for the ElasticSearch datasource Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
ghsaosv
CVE-2022-39307P4MEDIUMCVSS 5.3≥ 9.0.0, < 9.2.4≥ 0, < 8.5.152024-05-14
CVE-2022-39307 [MEDIUM] CWE-200 Grafana User enumeration via forget password Grafana User enumeration via forget password Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes moderate security fixes for CVE-2022-39307. We are also releasing security patches for Grafana 8.5.15 to fix these issues. Release 9.2.4, latest patch, also containing security fix: - [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4) Release 8.5.15, only contai
ghsaosv
CVE-2023-6152P4MEDIUM≥ 2.5.0, < 9.5.16≥ 10.0.0, < 10.0.11+3 more2024-02-13
CVE-2023-6152 [MEDIUM] CWE-863 Email Validation Bypass And Preventing Sign Up From Email's Owner Email Validation Bypass And Preventing Sign Up From Email's Owner ### Summary Email validation can easily be bypassed because `verify_email_enabled` option enable email validation at sign up only. A user changing it's email after signing up (and verifying it) can change it without verification in `/profile`. This can be used to prevent legitimate owner of the email address from signing up. Another
ghsaosv
CVE-2018-18625P4MEDIUMCVSS 6.1≥ 0, < 6.0.0-beta12024-01-30
CVE-2018-18625 [MEDIUM] CWE-79 Grafana XSS via adding a link in General feature Grafana XSS via adding a link in General feature Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
ghsaosv
CVE-2020-12245P4MEDIUM≥ 0, < 6.7.32022-05-24
CVE-2020-12245 [MEDIUM] CWE-79 Grafana XSS in header column rename Grafana XSS in header column rename Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.
ghsaosv
CVE-2018-18624P4MEDIUMCVSS 6.1≥ 0, < 7.0.02022-05-24
CVE-2018-18624 [MEDIUM] CWE-79 Grafana XSS via a column style Grafana XSS via a column style Grafana has a XSS vulnerability via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
ghsaosv
CVE-2020-13430P4MEDIUM≥ 0, < 7.0.02022-05-24
CVE-2020-13430 [MEDIUM] CWE-79 Grafana XSS via the OpenTSDB datasource Grafana XSS via the OpenTSDB datasource Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.
ghsaosv
CVE-2022-21713P4MEDIUMCVSS 4.3≥ 5.0.0-beta1, < 7.5.15≥ 8.0.0, < 8.3.52024-05-14
CVE-2022-21713 [MEDIUM] CWE-639 Grafana API IDOR Grafana API IDOR Today we are releasing Grafana 8.3.5 and 7.5.14. This patch release includes MEDIUM severity security fix for Grafana Teams API IDOR. Release v.8.3.5, only containing security fixes: - [Download Grafana 8.3.5](https://grafana.com/grafana/download/8.3.5) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-5/) Release v.7.5.15, only containing security fixes: - [Download Grafana 7.5.15](htt
ghsaosv
CVE-2018-12099P4MEDIUM≥ 0, < 5.2.0-beta12024-01-31
CVE-2018-12099 [MEDIUM] CWE-79 Grafana Cross-site Scripting (XSS) Grafana Cross-site Scripting (XSS) Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.
ghsaosv
CVE-2018-1000816P4MEDIUM≥ 0, < 5.3.22022-05-14
CVE-2018-1000816 [MEDIUM] CWE-79 Grafana XSS Vulnerability Grafana XSS Vulnerability Grafana version confirmed for 5.2.4 and 5.3.0 contains a Cross Site Scripting (XSS) vulnerability in Influxdb and Graphite query editor that can result in Running arbitrary js code in victims browser.. This attack appear to be exploitable via Authenticated user must click on the input field where the payload was previously inserted..
ghsaosv
CVE-2020-12458P4HIGH≥ 0, < 7.2.12022-05-24
CVE-2020-12458 [HIGH] CWE-312 Grafana information disclosure Grafana information disclosure An information-disclosure flaw was found in Grafana. The database directory `/var/lib/grafana` and database file `/var/lib/grafana/grafana.db` are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).
ghsaosv
CVE-2026-21724P4MEDIUM≥ 0, < 1.9.2-0.20260323180334-daffe750de852026-03-26
CVE-2026-21724 [MEDIUM] CWE-285 Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers
ghsa
CVE-2020-12459P4HIGH≥ 6.0.0-beta1, < 7.2.12022-05-24
CVE-2020-12459 [HIGH] CWE-200 Grafana world readable configuration files Grafana world readable configuration files In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files `/etc/grafana/grafana.ini` and `/etc/grafana/ldap.toml` (which contain a secret_key and a bind_password) are world readable.
ghsaosv
CVE-2022-39229P4MEDIUMCVSS 4.3≥ 0, < 8.5.14≥ 9.0.0, < 9.1.82024-05-14
CVE-2022-39229 [MEDIUM] CWE-287 Grafana when using email as a username can block other users from signing in Grafana when using email as a username can block other users from signing in Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-39229 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also containing security f
ghsaosv
CVE-2023-1410P4MEDIUM≥ 8.0.0, < 8.5.22≥ 9.3.0, < 9.3.11+2 more2023-03-23
CVE-2023-1410 [MEDIUM] CWE-79 Grafana Stored Cross-site Scripting in Graphite FunctionDescription tooltip Grafana Stored Cross-site Scripting in Graphite FunctionDescription tooltip ### Summary When a Graphite data source is added, one can use this data source in a dashboard. This contains a feature to use `Functions`. Once a function is selected, a small tooltip will be shown when hovering over the name of the function. This tooltip will allow you to delete the selected Function from your quer
ghsaosv
CVE-2024-11741P4MEDIUM≥ 11.4.0, < 11.4.1≥ 11.3.0, < 11.3.3+6 more2025-01-31
CVE-2024-11741 [MEDIUM] CWE-200 Grafana Alerting VictorOps integration could be exposed to users with Viewer permission Grafana Alerting VictorOps integration could be exposed to users with Viewer permission Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15
ghsaosv
CVE-2022-36062P4LOWCVSS 3.8≥ 8.5.0, < 8.5.13≥ 9.0.0, < 9.0.9+1 more2024-05-14
CVE-2022-36062 [LOW] CWE-281 Grafana folders admin only permission privilege escalation Grafana folders admin only permission privilege escalation Today we are releasing Grafana 9.1.6, 9.0.9, 8.5.13. This patch release includes a Moderate severity security fix for CVE-2022-36062 that affects Grafana instances which are using Grafana role-based access control (RBAC). Release 9.1.6, latest patch, also containing security fix: - [Download Grafana 9.1.6](https://grafana.com/grafana/download/9.1.6
ghsaosv
CVE-2022-39324P4MEDIUM≥ 9.0.0, < 9.2.8≥ 0, < 8.5.162024-05-14
CVE-2022-39324 [MEDIUM] CWE-79 Grafana Spoofing originalUrl of snapshots Grafana Spoofing originalUrl of snapshots To create a snapshot (and insert an arbitrary URL) the built-in role Viewer is sufficient. When a dashboard is shared as a local snapshot, the following three fields are offered in the web UI for a user to fill out: • Snapshotname • Expire • Timeout(seconds) After the user confirms creation of the snapshot (i.e. clicks the ”Local Snapshot” button) an HTTP POST request is sent to th
ghsaosv
CVE-2024-10452P4LOW≥ 0, ≤ 10.4.02024-10-29
CVE-2024-10452 [LOW] CWE-639 Grafana org admin can delete pending invites in different org Grafana org admin can delete pending invites in different org Organization admins can delete pending invites created in an organization they are not part of.
ghsaosv
Github.Com Grafana Grafana vulnerabilities | cvebase