CVSS: 5.4EPSS: 6%CPEs: 1EXPL: 2CVE-2019-13068 – Grafana <=6.2.4 - HTML Injection
https://notcve.org/view.php?id=CVE-2019-13068
29 Jun 2019 — public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field). El archivo public/app/features/panel/panel_ctrl.ts en Grafana anterior a versión 6.2.5, permite Inyección HTML en los enlaces de desglose del panel (por medio del campo Title o url). Grafana versions 6.2.4 and below suffer from an html injection vulnerability. • https://packetstorm.news/files/id/171500 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 12%CPEs: 8EXPL: 0CVE-2018-19039 – grafana: File exfiltration
https://notcve.org/view.php?id=CVE-2018-19039
13 Dec 2018 — Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions. Grafana en versiones anteriores a la 4.6.5 y versiones 5.x anteriores a la 5.3.3 permite que usuarios autenticados remotos lean archivos arbitrarios aprovechando los permisos Editor o Admin. A security issue was found that could allow any users with Editor or Admin permissions in Grafana to read any file that the Grafana process can read from the filesystem. However,... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •