Jtakkala

**Name of the Vulnerable Software and Affected Versions** grafanacubism-panel versions 0.1.2 and earlier **Description** The grafanacubism-panel plugin enables the use of cubism.js within Grafana. The panel’s zoom-link handler directly passes a URL supplied by the dashboard editor to `window.location.assign()` or `window.open()` without validating the URL scheme. An attacker possessing dashboard Editor privileges can configure the link to a javascript: URI. Subsequently, when any Viewer performs a drag-zoom action on the panel, the malicious code executes within the Grafana origin. The vulnerable component is the zoom-link handler. The vulnerable functions are `window.location.assign()` and `window.open()`. **Recommendations** Update grafanacubism-panel to a version later than 0.1.2.