A persistent XSS vulnerability was found in in Influxdb and Graphite query editor of Grafana before 5.3.2. Upstream issues: https://github.com/grafana/grafana/issues/13667 https://github.com/grafana/grafana/pull/13670
Ceph and Gluster both storage products are affected to this Cross site scripting vulnerability. For instance, an attacker can inject URL in the query editor part and upon clicking the field in the query editor this can redirect to the vulnerable site. Issue can be reproduced with the below payload where clicking the query editor field will open a new tab for redhat.com "<script>window.open("https://www.redhat.com/")</script>
Statement: The version of Grafana provided in Red Hat OpenStack Optools does not contain the vulnerable functionality and is not affected by this vulnerability. Additionally, Grafana is unsupported in Red Hat OpenStack. Grafana shipped with Ceph and Gluster includes the affected code, and is vulnerable to cross site scripting attack via query editor.