Grafana Cross-Site Scripting Vulnerability via Path Traversal and Open Redirect

A cross-site scripting (XSS) vulnerability has been identified in Grafana. This issue arises from a combination of client path traversal and open redirect, allowing attackers to redirect users to a site hosting a frontend plugin that can execute arbitrary JavaScript. The vulnerability does not require editor permissions, and if anonymous access is enabled, the XSS will be effective. Additionally, if the Grafana Image Renderer plugin is installed, the open redirect can be exploited to achieve full read server-side request forgery. While Grafana's default Content-Security-Policy blocks the XSS through the connect-src directive, this vulnerability still poses a significant risk.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute malicious JavaScript in the context of the user's browser. If the Grafana Image Renderer plugin is installed, the open redirect can be exploited to achieve full read server-side request forgery.

Remediation

This vulnerability has been fixed in Grafana versions 10.4.18+security-01, 11.2.9+security-01, 11.3.6+security-01, 11.4.4+security-01, 11.5.4+security-01, 11.6.1+security-01, and 12.0.0+security-01.