The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x bef ...

The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.

The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.

The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.

The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an ...

Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.

Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.

Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.

Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4. ...

Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.

Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.

Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.

Grafana before 7.1.0-beta 1 allows XSS via a query alias for the Elast ...

Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.

Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.

Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.

Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.

In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.