Jasu Vindig

**Name of the Vulnerable Software and Affected Versions** Grafana (affected versions not specified) **Description** The issue allows an attacker to serve HTML content through the Grafana datasource or plugin proxy, tricking a user into visiting a specially crafted HTML page and executing a Cross-site Scripting (XSS) attack. This can be done by compromising an existing datasource or setting up a public service and instructing users to set it up in their Grafana instance. The attacker must be in control of the HTTP server serving the URL of the datasource or plugin and have a specially crafted link clicked on by an authenticated user. There are no known workarounds for this issue. **Recommendations** Update to a patched version. As a temporary workaround, consider restricting access to the `datasource` and `plugin` proxies until a patch is available. Avoid using specially crafted links that point to attacker-controlled datasources or plugins until the issue is resolved. Restrict access to compromised plugins to minimize the risk of exploitation.