Grafana — свободная программная система визуализации данных, ориентированная на данные систем ИТ-мониторинга.
Релизный цикл, информация об уязвимостях
График релизов
Количество 403
CVE-2025-4123
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
CVE-2025-4123
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
BDU:2025-06002
Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с ошибками разграничения доступа, позволяющая нарушителю нарушить работу программы
CVE-2025-4123
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
BDU:2025-06809
Уязвимость компонента Custom Frontend Plugin платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)
GHSA-66c4-2g2v-54qw
Grafana org admin can delete pending invites in different org
CVE-2024-10452
Organization admins can delete pending invites created in an organization they are not part of.
CVE-2024-10452
Organization admins can delete pending invites created in an organizat ...
CVE-2024-10452
Organization admins can delete pending invites created in an organization they are not part of.
CVE-2024-10452
Organization admins can delete pending invites created in an organization they are not part of.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2025-4123 A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive. | CVSS3: 7.6 | 14% Средний | 9 месяцев назад |
 | CVE-2025-4123 A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive. | CVSS3: 7.6 | 14% Средний | 9 месяцев назад |
 | BDU:2025-06002 Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с ошибками разграничения доступа, позволяющая нарушителю нарушить работу программы | CVSS3: 7.2 | 0% Низкий | 9 месяцев назад |
 | CVE-2025-4123 A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive. | CVSS3: 7.6 | 14% Средний | 9 месяцев назад |
| BDU:2025-06809 Уязвимость компонента Custom Frontend Plugin платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS) | CVSS3: 7.6 | 14% Средний | 9 месяцев назад |
| GHSA-66c4-2g2v-54qw Grafana org admin can delete pending invites in different org | CVSS3: 2.2 | 0% Низкий | больше 1 года назад |
| CVE-2024-10452 Organization admins can delete pending invites created in an organization they are not part of. | CVSS3: 2.2 | 0% Низкий | больше 1 года назад |
| CVE-2024-10452 Organization admins can delete pending invites created in an organizat ... | CVSS3: 2.2 | 0% Низкий | больше 1 года назад |
| CVE-2024-10452 Organization admins can delete pending invites created in an organization they are not part of. | CVSS3: 2.2 | 0% Низкий | больше 1 года назад |
| CVE-2024-10452 Organization admins can delete pending invites created in an organization they are not part of. | CVSS3: 2.2 | 0% Низкий | больше 1 года назад |
Уязвимостей на страницу