Moderate severityNVD Advisory· Published Apr 24, 2020· Updated Aug 4, 2024
CVE-2020-12245
CVE-2020-12245
Description
Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Grafana table panel before 6.7.3 is vulnerable to stored XSS via column.title or cellLinkTooltip fields.
Vulnerability
Overview CVE-2020-12245 is a stored cross-site scripting (XSS) vulnerability in the Grafana table panel, affecting versions prior to 6.7.3. The flaw exists because user-supplied input in the column.title and cellLinkTooltip fields is not properly sanitized before being rendered in the dashboard [1][3]. This allows an attacker to inject arbitrary HTML or JavaScript code that will be executed when a victim views the affected dashboard.
Exploitation
Prerequisites To exploit this vulnerability, an attacker must have the ability to create or edit dashboards containing table panels, or be able to modify existing table panel configurations. This typically requires editor or admin privileges within Grafana. The injected payload is stored in the dashboard configuration and triggers when any user (including those with lower privileges) views the dashboard, making it a stored XSS attack [1][2].
Impact
Successful exploitation enables arbitrary JavaScript execution in the context of the victim's Grafana session. An attacker could steal session cookies, perform actions on behalf of the victim, exfiltrate sensitive data displayed in dashboards, or deface the interface. The severity is rated high due to the potential for privilege escalation and data compromise [3].
Mitigation
The vulnerability was fixed in Grafana version 6.7.3, released on April 23, 2020 [2]. The fix, implemented in pull request #23816, adds proper sanitization of the column.title and cellLinkTooltip fields [1]. Users are strongly advised to upgrade to at least version 6.7.3 or later. No workarounds are documented; upgrading is the recommended action.
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/grafanaGo | < 6.7.3 | 6.7.3 |
Affected products
78- Grafana/Grafanadescription
- osv-coords77 versionspkg:bitnami/grafanapkg:golang/github.com/grafana/grafanapkg:rpm/almalinux/grafanapkg:rpm/almalinux/grafana-azure-monitorpkg:rpm/almalinux/grafana-cloudwatchpkg:rpm/almalinux/grafana-elasticsearchpkg:rpm/almalinux/grafana-graphitepkg:rpm/almalinux/grafana-influxdbpkg:rpm/almalinux/grafana-lokipkg:rpm/almalinux/grafana-mssqlpkg:rpm/almalinux/grafana-mysqlpkg:rpm/almalinux/grafana-opentsdbpkg:rpm/almalinux/grafana-postgrespkg:rpm/almalinux/grafana-prometheuspkg:rpm/almalinux/grafana-stackdriverpkg:rpm/suse/cobbler&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/cobbler&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/cobbler&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/grafana&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/grafana&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/grafana&distro=SUSE%20Package%20Hub%2015%20SP2pkg:rpm/suse/koan&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/mgr-cfg&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-cfg&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/mgr-custom-info&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-custom-info&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/mgr-daemon&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-daemon&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/mgr-osad&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-osad&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/mgr-virtualization&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-virtualization&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacewalk-koan&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacewalk-koan&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacewalk-oscap&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacewalk-oscap&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacewalk-remote-utils&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacewalk-remote-utils&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/suseRegisterInfo&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/suseRegisterInfo&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/system-user-grafana&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/system-user-grafana&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/uyuni-base&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/uyuni-base&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/zypp-plugin-spacewalk&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/zypp-plugin-spacewalk&distro=SUSE%20Manager%20Client%20Tools%2015
< 6.7.3+ 76 more
- (no CPE)range: < 6.7.3
- (no CPE)range: < 6.7.3
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 2.6.6-49.26.3
- (no CPE)range: < 2.6.6-49.26.3
- (no CPE)range: < 2.6.6-49.26.3
- (no CPE)range: < 2.6.6-49.26.3
- (no CPE)range: < 0.1.1590413773.a959db7-1.12.2
- (no CPE)range: < 0.18.1-1.6.2
- (no CPE)range: < 0.18.1-1.6.2
- (no CPE)range: < 0.18.1-1.6.2
- (no CPE)range: < 0.18.1-1.6.2
- (no CPE)range: < 0.18.1-1.6.2
- (no CPE)range: < 0.18.1-1.6.2
- (no CPE)range: < 0.18.1-1.6.2
- (no CPE)range: < 0.18.1-1.6.2
- (no CPE)range: < 0.18.1-1.6.2
- (no CPE)range: < 0.18.1-1.6.2
- (no CPE)range: < 0.18.1-1.6.2
- (no CPE)range: < 0.18.1-1.6.2
- (no CPE)range: < 0.18.1-1.6.2
- (no CPE)range: < 2.18.0-1.12.2
- (no CPE)range: < 2.18.0-3.12.2
- (no CPE)range: < 7.3.1-3.6.1
- (no CPE)range: < 7.0.3-1.9.3
- (no CPE)range: < 7.0.3-1.9.2
- (no CPE)range: < 7.1.5-bp151.2.1
- (no CPE)range: < 7.1.5-bp152.3.3.1
- (no CPE)range: < 2.9.0-4.15.2
- (no CPE)range: < 4.1.2-1.12.3
- (no CPE)range: < 4.1.2-1.12.4
- (no CPE)range: < 4.1.1-1.6.1
- (no CPE)range: < 4.1.1-1.6.2
- (no CPE)range: < 4.1.1-1.14.2
- (no CPE)range: < 4.1.1-1.14.2
- (no CPE)range: < 4.1.2-1.15.2
- (no CPE)range: < 4.1.2-1.15.2
- (no CPE)range: < 4.1.1-1.6.3
- (no CPE)range: < 4.1.1-1.6.4
- (no CPE)range: < 4.1.1-1.14.3
- (no CPE)range: < 4.1.1-1.14.2
- (no CPE)range: < 4.1.2-21.22.2
- (no CPE)range: < 4.1.2-3.16.2
- (no CPE)range: < 4.1.4-38.61.2
- (no CPE)range: < 4.1.4-3.38.2
- (no CPE)range: < 4.1.5-52.32.2
- (no CPE)range: < 4.1.5-3.23.2
- (no CPE)range: < 4.1.1-24.12.2
- (no CPE)range: < 4.1.1-3.9.2
- (no CPE)range: < 4.1.1-19.12.1
- (no CPE)range: < 4.1.1-3.6.3
- (no CPE)range: < 4.1.1-24.15.3
- (no CPE)range: < 4.1.1-3.12.4
- (no CPE)range: < 4.1.2-6.15.1
- (no CPE)range: < 4.1.2-3.9.2
- (no CPE)range: < 4.1.2-25.9.2
- (no CPE)range: < 4.1.2-3.6.2
- (no CPE)range: < 1.0.0-3.9.1
- (no CPE)range: < 1.0.0-3.9.1
- (no CPE)range: < 4.1.1-1.3.1
- (no CPE)range: < 4.1.1-1.3.2
- (no CPE)range: < 4.1.5-1.3.2
- (no CPE)range: < 4.1.5-1.3.2
- (no CPE)range: < 1.0.7-30.21.2
- (no CPE)range: < 1.0.7-3.12.2
Patches
10284747c88ebTablePanel: Fix XSS issue in header column rename (#23816)
1 file changed · +2 −2
public/app/plugins/panel/table-old/renderer.ts+2 −2 modified@@ -56,7 +56,7 @@ export class TableRenderer { column.style = style; if (style.alias) { - column.title = column.text.replace(regex, style.alias); + column.title = textUtil.escapeHtml(column.text.replace(regex, style.alias)); } break; @@ -300,7 +300,7 @@ export class TableRenderer { const cellLink = this.templateSrv.replace(column.style.linkUrl, scopedVars, encodeURIComponent); const sanitizedCellLink = textUtil.sanitizeUrl(cellLink); - const cellLinkTooltip = this.templateSrv.replace(column.style.linkTooltip, scopedVars); + const cellLinkTooltip = textUtil.escapeHtml(this.templateSrv.replace(column.style.linkTooltip, scopedVars)); const cellTarget = column.style.linkTargetBlank ? '_blank' : ''; cellClasses.push('table-panel-cell-link');
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-ccmg-w4xm-p28vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-12245ghsaADVISORY
- community.grafana.com/t/release-notes-v6-7-x/27119ghsax_refsource_MISCWEB
- github.com/grafana/grafana/blob/master/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/grafana/grafana/commit/0284747c88eb9435899006d26ffaf65f89dec88eghsaWEB
- github.com/grafana/grafana/pull/23816ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20200511-0001ghsaWEB
- security.netapp.com/advisory/ntap-20200511-0001/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.