CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 0CVE-2020-12245 – grafana: XSS via column.title or cellLinkTooltip
https://notcve.org/view.php?id=CVE-2020-12245
24 Apr 2020 — Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip. Grafana versiones anteriores a la versiones 6.7.3, permite un ataque de tipo XSS del panel de tabla por medio de column.title o cellLinkTooltip. A flaw was found in grafana. A XSS is possible in table-panel via column.title or cellLinkTooltip. Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 88%CPEs: 2EXPL: 1CVE-2019-15043 – grafana: incorrect access control in snapshot HTTP API leads to denial of service
https://notcve.org/view.php?id=CVE-2019-15043
03 Sep 2019 — In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. En Grafana versión 2.x hasta la versión 6.x en versiones anteriores a la 6.3.4, partes de la API HTTP permiten el uso no autenticado. Esto hace posible ejecutar un ataque de denegación de servicio contra el servidor que ejecuta Grafana. Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, Inf... • https://github.com/h0ffayyy/CVE-2019-15043 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-306: Missing Authentication for Critical Function •
CVSS: 5.4EPSS: 6%CPEs: 1EXPL: 2CVE-2019-13068 – Grafana <=6.2.4 - HTML Injection
https://notcve.org/view.php?id=CVE-2019-13068
29 Jun 2019 — public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field). El archivo public/app/features/panel/panel_ctrl.ts en Grafana anterior a versión 6.2.5, permite Inyección HTML en los enlaces de desglose del panel (por medio del campo Title o url). Grafana versions 6.2.4 and below suffer from an html injection vulnerability. • https://packetstorm.news/files/id/171500 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •