CVE-2019-13068

Vulnerability

Overview

CVE-2019-13068 is an HTML injection vulnerability in Grafana versions prior to 6.2.5. The flaw resides in the public/app/features/panel/panel_ctrl.ts file, where panel drilldown links are not properly escaped. An attacker can inject arbitrary HTML into the Title or URL fields of a panel link, leading to stored cross-site scripting (XSS) when a user views the dashboard [2].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have the ability to create or edit dashboards, which typically requires Editor or Admin privileges. The injected HTML is stored in the dashboard configuration and executed in the browser of any user who opens the affected panel. No additional user interaction beyond viewing the dashboard is needed [2].

Impact

Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the context of the victim's Grafana session. This can lead to data exfiltration, session hijacking, or unauthorized actions performed on behalf of the victim. The vulnerability is classified as medium severity with a CVSS v3 score of 6.1 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) [2].

Mitigation

The issue was fixed in Grafana version 6.2.5, released on May 25, 2019. The fix fully escapes HTML in drilldown links instead of only sanitizing it [4]. Users are strongly advised to upgrade to Grafana 6.2.5 or later. No workarounds are documented, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.