CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13430 – grafana: XSS via the OpenTSDB datasource
https://notcve.org/view.php?id=CVE-2020-13430
Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource. Grafana versiones anteriores a 7.0.0, permite un ataque de tipo XSS del valor de etiqueta por medio de la fuente de datos OpenTSDB. A flaw was found in grafana Tag value XSS via the OpenTSDB datasource are possible. The highest threat from this vulnerability is to data confidentiality and integrity. • https://github.com/grafana/grafana/pull/24539 https://github.com/grafana/grafana/releases/tag/v7.0.0 https://security.netapp.com/advisory/ntap-20200528-0003 https://access.redhat.com/security/cve/CVE-2020-13430 https://bugzilla.redhat.com/show_bug.cgi?id=1848108 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.2EPSS: 0%CPEs: 6EXPL: 1CVE-2020-12458 – grafana: information disclosure through world-readable /var/lib/grafana/grafana.db
https://notcve.org/view.php?id=CVE-2020-12458
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords). Se encontró un fallo de divulgación de información en Grafana versiones hasta 6.7.3. El directorio de base de datos /var/lib/grafana y el archivo de base de datos /var/lib/grafana/grafana.db son de tipo world readable. • https://access.redhat.com/security/cve/CVE-2020-12458 https://bugzilla.redhat.com/show_bug.cgi?id=1827765 https://github.com/grafana/grafana/issues/8283 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A https://security.netapp.com/advisory/ntap-20200518-0001 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12052 – grafana: XSS annotation popup vulnerability
https://notcve.org/view.php?id=CVE-2020-12052
Grafana version < 6.7.3 is vulnerable for annotation popup XSS. Grafana versiones anteriores a la versión 6.7.3, es vulnerable a un ataque de tipo XSS del popup de anotaciones. A flaw was found in grafana. The software is vulnerable to an annotation popup XSS. • https://community.grafana.com/t/release-notes-v6-7-x/27119 https://security.netapp.com/advisory/ntap-20200511-0001 https://access.redhat.com/security/cve/CVE-2020-12052 https://bugzilla.redhat.com/show_bug.cgi?id=1848089 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12245 – grafana: XSS via column.title or cellLinkTooltip
https://notcve.org/view.php?id=CVE-2020-12245
Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip. Grafana versiones anteriores a la versiones 6.7.3, permite un ataque de tipo XSS del panel de tabla por medio de column.title o cellLinkTooltip. A flaw was found in grafana. A XSS is possible in table-panel via column.title or cellLinkTooltip. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html https://community.grafana.com/t/release-notes-v6-7-x/27119 https://github.com/grafana/grafana/blob/master/CHANGELOG.md#673-2020-04-23 https://github.com/grafana/grafana/pull/23816 https://secu • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2019-15635
https://notcve.org/view.php?id=CVE-2019-15635
An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box. • https://exchange.xforce.ibmcloud.com/vulnerabilities/167244 https://security.netapp.com/advisory/ntap-20191009-0002 • CWE-319: Cleartext Transmission of Sensitive Information CWE-522: Insufficiently Protected Credentials •