Grafana Cubism Panel Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Grafana Cubism Panel plugin, specifically in versions through 0.1.2. The issue arises because the panel's zoom-link handler transmits a URL provided by the dashboard editor directly to navigation functions, such as window.location.assign() and window.open(), without validating the URL scheme. This flaw allows an attacker with dashboard editor privileges to inject a javascript: URI. When a viewer interacts with the panel's drag-zoom feature, the injected script executes in the context of the Grafana origin.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where the injected script is executed in the context of the Grafana application. Additionally, this vulnerability creates an open redirect, as any https://attacker.example/ URL can be used to redirect users.

Reproduction

To reproduce this vulnerability, a user with editor rights must add a Cubism panel to a dashboard. In the panel's link options, the user should insert a javascript: URL, such as one that alerts the document cookie. After saving the dashboard, any user can open it and interact with the Cubism panel, triggering the alert in the Grafana origin.

Remediation

Users are advised to update to Grafana Cubism Panel version 0.1.3, where this vulnerability has been patched.