header-logo
Suggest Exploit
vendor:
Grafana
by:
SimranJeet Singh
5.4
CVSS
MEDIUM
HTML Injection
79
CWE
Product Name: Grafana
Affected Version From: 6.2.2004
Affected Version To: 6.2.2004
Patch Exists: YES
Related CWE: CVE-2019-13068
CPE: a:grafana:grafana:6.2.4
Metasploit:
Other Scripts:
Platforms Tested:
2019

Grafana <=6.2.4 – HTML Injection

The uri "public/app/features/panel/panel_ctrl.ts" in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field) Payload used - &lt;img src="[image_URL]"&gt;&lt;h1&gt;Hello&lt;/h1&gt;

Mitigation:

Upgrade to Grafana 6.2.5 or later
Source

Exploit-DB raw data:

# Exploit Title: Grafana <=6.2.4 - HTML Injection
# Date: 30-06-2019
# Exploit Author: SimranJeet Singh
# Vendor Homepage: https://grafana.com/
# Software Link: https://grafana.com/grafana/download/6.2.4
# Version: 6.2.4
# CVE : CVE-2019-13068

The uri "public/app/features/panel/panel_ctrl.ts" in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field)

Payload used - <img src="[image_URL]"><h1>Hello</h1>

Navigation

Suggest Exploit

Services By CQR