CVE-2019-13068 (NVD)

2019-06-30

public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field).

Products Grafana
Type Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
First patch - None (likely due to unavailable code)
Links https://github.com/grafana/grafana/issues/17718
https://security.netapp.com/advisory/ntap-20190710-0001/
https://github.com/grafana/grafana/releases/tag/v6.2.5
http://packetstormsecurity.com/files/171500/Grafana-6.2.4-HTML-Injection.html