14 matches found
EUVD-2024-1406
Malicious code in bioql PyPI...
GO-2025-3814 Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana
Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
Open Redirect
github.com/grafana/grafana is vulnerable to open redirect. The vulnerability is due to improper validation of redirect URLs, which allows an attacker to chain it with path traversal issues to perform cross-site scripting XSS attacks...
Grafana's insecure DingDing Alert integration exposes sensitive information
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01,...
Grafana long dashboard title or panel name causes unresponsives
In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher...
CVE-2025-1088 Very long unicode dashboard title or panel name can hang the frontend
In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher...
GHSA-9J65-RV5X-4VRF Grafana's datasource proxy API allows authorization checks to be bypassed
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily...
CVE-2022-32276
Grafana 8.4.3 allows unauthenticated access via for example a /dashboard/snapshot/?orgId=0 URI. NOTE: the vendor considers this a UI bug, not a vulnerability...
PT-2023-8896 · Grafana +2 · Grafana +2
Name of the Vulnerable Software and Affected Versions: Grafana affected versions not specified Description: The issue impacts Grafana instances with multiple organizations, allowing a user with Organization Admin permissions in one organization to change permissions associated with Organization...
CVE-2023-2801
Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public...
CVE-2023-0507
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript...
CVE-2018-18624
Grafana 5.3.1 has XSS via a column style on the "Dashboard Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099...
SUSE-SU-2018:2536-1 Security update for grafana, kafka, logstash and monasca-installer
This update for grafana, kafka, logstash and monasca-installer fixes the following issues: The following security issues have been fixed: grafana: - CVE-2018-12099: Fix Cross-Site-Scripting XSS vulnerabilities in dashboard links. bsc1096985 kafka: - CVE-2018-1288: Authenticated Kafka users may...
SUSE-SU-2018:2317-1 Security update for grafana, kafka, logstash, openstack-monasca-installer
This update for grafana, kafka, logstash, openstack-monasca-installer fixes the following issues: Security issues fixed: - CVE-2018-12099: grafana: Fix XSS vulnerabilities in dashboard links bsc1096985. - CVE-2018-3817: logstash: Fix inadvertently logging of sensitive information bsc1090849. Bug...