I have found a persistent xss in Grafana's query editor for Graphite and Influxdb. The xss is triggered when clicking the field in the query editor's "FROM"-row in which the payload [1] was previously inserted.
I checked this vulnerability version 5.2.4 and version 5.3.0 both on Ubuntu 16.04
I attached this short screencast to make it easy to reproduce the behaviour
[1] "<script>alert('XSS')</script>
The text was updated successfully, but these errors were encountered:
Dear Grafana Team –
I have found a persistent xss in Grafana's query editor for Graphite and Influxdb. The xss is triggered when clicking the field in the query editor's "FROM"-row in which the payload [1] was previously inserted.
I checked this vulnerability version 5.2.4 and version 5.3.0 both on Ubuntu 16.04
I attached this short screencast to make it easy to reproduce the behaviour
[1]
"<script>alert('XSS')</script>The text was updated successfully, but these errors were encountered: