Hoa X. Nguyen

**Name of the Vulnerable Software and Affected Versions** Grafana versions 11.3.8 through 11.6.3 Grafana versions 11.4.6 through 11.5.6 Grafana versions 11.5.0 through 11.5.6 Grafana versions prior to 12.0.2+security-01 Grafana versions prior to 1.9.2-0.20250521205822-0ba0b99665a9 **Description** Grafana OSS is susceptible to open redirect vulnerabilities that can be leveraged to carry out Cross-Site Scripting (XSS) attacks. The vulnerability was introduced in version 11.5.0 and can be combined with path traversal vulnerabilities to achieve XSS. The vulnerability stems from insufficient protection of the web page structure, allowing a remote attacker to redirect users to arbitrary websites. No information is available regarding the number of potentially affected devices or any real-world incidents where this issue has been exploited. The vulnerability can be exploited through open redirects and path traversal. The vulnerable component is the redirection mechanism within Grafana. **Recommendations** Update to Grafana version 12.0.2+security-01. Update to Grafana version 11.6.3+security-01. Update to Grafana version 11.5.6+security-01. Update to Grafana version 11.4.6+security-01. Update to Grafana version 11.3.8+security-01. Update to Grafana version 1.9.2-0.20250521205822-0ba0b99665a9 or later.