Github.Com Grafana Grafana vulnerabilities

CVE-2023-1410 [MEDIUM] CWE-79 Grafana Stored Cross-site Scripting in Graphite FunctionDescription tooltip Grafana Stored Cross-site Scripting in Graphite FunctionDescription tooltip ### Summary When a Graphite data source is added, one can use this data source in a dashboard. This contains a feature to use `Functions`. Once a function is selected, a small tooltip will be shown when hovering over the name of the function. This tooltip will allow you to delete the selected Function from your quer

CVE-2023-0507 [MEDIUM] CWE-79 Grafana vulnerable to Cross-site Scripting Grafana vulnerable to Cross-site Scripting Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instanc

CVE-2023-22462 [MEDIUM] CWE-79 Grafana vulnerable to Stored Cross-site Scripting in Text plugin Grafana vulnerable to Stored Cross-site Scripting in Text plugin ### Description On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass tho

CVE-2023-0594 [MEDIUM] CWE-79 Grafana vulnerable to Cross-site Scripting Grafana vulnerable to Cross-site Scripting Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs

CVE-2020-12459 [HIGH] CWE-200 Grafana world readable configuration files Grafana world readable configuration files In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files `/etc/grafana/grafana.ini` and `/etc/grafana/ldap.toml` (which contain a secret_key and a bind_password) are world readable.

CVE-2020-12458 [HIGH] CWE-312 Grafana information disclosure Grafana information disclosure An information-disclosure flaw was found in Grafana. The database directory `/var/lib/grafana` and database file `/var/lib/grafana/grafana.db` are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).

CVE-2018-18624 [MEDIUM] CWE-79 Grafana XSS via a column style Grafana XSS via a column style Grafana has a XSS vulnerability via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.

CVE-2020-24303 [MEDIUM] CWE-79 Grafana XSS via a query alias for the ElasticSearch datasource Grafana XSS via a query alias for the ElasticSearch datasource Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.

CVE-2020-13430 [MEDIUM] CWE-79 Grafana XSS via the OpenTSDB datasource Grafana XSS via the OpenTSDB datasource Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.

CVE-2020-12245 [MEDIUM] CWE-79 Grafana XSS in header column rename Grafana XSS in header column rename Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.

CVE-2019-13068 [MEDIUM] CWE-79 Grafana Cross-site Scripting vulnerability Grafana Cross-site Scripting vulnerability `public/app/features/panel/panel_ctrl.ts` in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field).

CVE-2020-11110 [MEDIUM] CWE-79 Grafana stored XSS Grafana stored XSS Grafana through 6.7.1 allows stored XSS.

CVE-2018-1000816 [MEDIUM] CWE-79 Grafana XSS Vulnerability Grafana XSS Vulnerability Grafana version confirmed for 5.2.4 and 5.3.0 contains a Cross Site Scripting (XSS) vulnerability in Influxdb and Graphite query editor that can result in Running arbitrary js code in victims browser.. This attack appear to be exploitable via Authenticated user must click on the input field where the payload was previously inserted..

CVE-2018-15727 [CRITICAL] CWE-287 Grafana Authentication Bypass Grafana Authentication Bypass Grafana before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user. ### Specific Go Packages Affected github.com/grafana/grafana/pkg/api

CVE-2020-13379 [MEDIUM] CWE-918 Server Side Request Forgery in Grafana Server Side Request Forgery in Grafana The avatar feature in Grafana (github.com/grafana/grafana/pkg/api/avatar) 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue that allows remote code execution. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is

CVE-2021-27358 [MEDIUM] CWE-306 Denial of service in Grafana Denial of service in Grafana The snapshot feature in Grafana before 7.4.2 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set. ### Specific Go Packages Affected github.com/grafana/grafana/pkg/middleware

CVE-2021-39226 [HIGH] CWE-287 Authentication bypass for viewing and deletions of snapshots Authentication bypass for viewing and deletions of snapshots Today we are releasing Grafana 7.5.11, and 8.1.6. These patch releases include an important security fix for an issue that affects all Grafana versions from 2.0.1. [Grafana Cloud](https://grafana.com/cloud) instances have already been patched and an audit did not find any usage of this attack vector. [Grafana Enterprise](https://grafana.com/pro