CVSS: 5.4EPSS: 6%CPEs: 1EXPL: 2CVE-2019-13068 – Grafana <=6.2.4 - HTML Injection
https://notcve.org/view.php?id=CVE-2019-13068
29 Jun 2019 — public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field). El archivo public/app/features/panel/panel_ctrl.ts en Grafana anterior a versión 6.2.5, permite Inyección HTML en los enlaces de desglose del panel (por medio del campo Title o url). Grafana versions 6.2.4 and below suffer from an html injection vulnerability. • https://packetstorm.news/files/id/171500 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 12%CPEs: 8EXPL: 0CVE-2018-19039 – grafana: File exfiltration
https://notcve.org/view.php?id=CVE-2018-19039
13 Dec 2018 — Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions. Grafana en versiones anteriores a la 4.6.5 y versiones 5.x anteriores a la 5.3.3 permite que usuarios autenticados remotos lean archivos arbitrarios aprovechando los permisos Editor o Admin. A security issue was found that could allow any users with Editor or Admin permissions in Grafana to read any file that the Grafana process can read from the filesystem. However,... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 77%CPEs: 5EXPL: 2CVE-2018-15727 – grafana: authentication bypass knowing only a username of an LDAP or OAuth user
https://notcve.org/view.php?id=CVE-2018-15727
29 Aug 2018 — Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user. Grafana en versiones 2.x, 3.x y 4.x anteriores a la 4.6.4 y versiones 5.x anteriores a la 5.2.3 permite la omisión de autenticación debido a que un atacante puede generar una cookie "remember me" válida conociendo solo el nombre de usuario de un usuario LDAP u OAuth. Red Hat Gluster Storage Web Administration ... • https://github.com/u238/grafana-CVE-2018-15727 • CWE-287: Improper Authentication •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 1CVE-2018-12099 – grafana: Cross-site Scripting (XSS) in dashboard links
https://notcve.org/view.php?id=CVE-2018-12099
11 Jun 2018 — Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links. Grafana en versiones anteriores a la 5.2.0-beta1 tiene vulnerabilidades Cross-Site Scripting (XSS) en los enlaces del cuadro de mandos. • https://github.com/grafana/grafana/pull/11813 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •