Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. https://github.com/grafana/grafana/pull/11813 https://security.netapp.com/advisory/ntap-20200608-0008/
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 1850573]
Upstream commit: https://github.com/grafana/grafana/commit/0284747c88eb9435899006d26ffaf65f89dec88e
ServiceMesh packages a vulnerable version of grafana v6.4.3 in the openshift-service-mesh/grafana-rhel8 container.
upstream PR: https://github.com/grafana/grafana/pull/23816
Statement: Both OpenShift 3.11 and 4.x grafana-container's package a vulnerable version of grafana. However the grafana instance is set to read-only meaning that the potential XSS attack cannot be performed as the table panel cannot be modified or added. As OpenShift still packages the vulnerable code, the components are affected but with impact Low. In OpenShift ServiceMesh the grafana component is a vulnerable version, however as it is behind OpenShift OAuth restricting access to authenticated users only the impact is Low.
External References: https://security.netapp.com/advisory/ntap-20200608-0008/
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-18624
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4682 https://access.redhat.com/errata/RHSA-2020:4682