rpm package
suse/grafana&distro=SUSE Enterprise Storage 5
pkg:rpm/suse/grafana&distro=SUSE%20Enterprise%20Storage%205
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-11110 | — | < 4.6.5-3.13.1 | 4.6.5-3.13.1 | Jul 27, 2020 | Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. | ||
| CVE-2019-15043 | — | < 4.6.5-3.10.1 | 4.6.5-3.10.1 | Sep 3, 2019 | In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. | ||
| CVE-2019-13068 | — | < 4.6.5-3.10.1 | 4.6.5-3.10.1 | Jun 29, 2019 | public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field). | ||
| CVE-2018-19039 | — | < 4.6.5-3.10.1 | 4.6.5-3.10.1 | Dec 13, 2018 | Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions. | ||
| CVE-2018-15727 | — | < 4.6.5-3.10.1 | 4.6.5-3.10.1 | Aug 29, 2018 | Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user. | ||
| CVE-2018-12099 | — | < 4.6.5-3.10.1 | 4.6.5-3.10.1 | Jun 11, 2018 | Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links. |
- CVE-2020-11110Jul 27, 2020affected < 4.6.5-3.13.1fixed 4.6.5-3.13.1
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
- CVE-2019-15043Sep 3, 2019affected < 4.6.5-3.10.1fixed 4.6.5-3.10.1
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
- CVE-2019-13068Jun 29, 2019affected < 4.6.5-3.10.1fixed 4.6.5-3.10.1
public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field).
- CVE-2018-19039Dec 13, 2018affected < 4.6.5-3.10.1fixed 4.6.5-3.10.1
Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.
- CVE-2018-15727Aug 29, 2018affected < 4.6.5-3.10.1fixed 4.6.5-3.10.1
Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.
- CVE-2018-12099Jun 11, 2018affected < 4.6.5-3.10.1fixed 4.6.5-3.10.1
Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.