Описание
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.
The default Content-Security-Policy (CSP) in Grafana will block the XSS though the connect-src directive.
A flaw was found in Grafana's custom frontend plugin handling. This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by exploiting a client path traversal and an open redirect issue, leading to arbitrary JavaScript execution and potential user redirection to malicious websites. This attack can be carried out without requiring elevated privileges if anonymous access is enabled.
Отчет
This Grafana vulnerability is Important due to its low exploitation barrier and high impact. Unlike typical XSS flaws, it can be triggered without authentication if anonymous access is enabled—a common setup in shared dashboards. It arises from improper handling of user-supplied paths in custom frontend plugins, leading to XSS and open redirect. When combined with the Grafana Image Renderer plugin, it enables full-read SSRF, exposing internal services and cloud metadata. This makes it a high-severity issue with serious real-world implications, especially in misconfigured or publicly exposed Grafana instances.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Дополнительная информация
Статус:
7.6 High
CVSS3
Связанные уязвимости
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
A cross-site scripting (XSS) vulnerability exists in Grafana caused by ...
Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin
7.6 High
CVSS3