Description

An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.

Remediation

References

CVE-2022-26148

Related Vulnerabilities

WordPress Plugin AddToAny Share Buttons Cross-Site Scripting (1.7.47)

MySQL CVE-2017-3640 Vulnerability (CVE-2017-3640)

phpMyAdmin Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2007-5977)

WordPress Plugin WP-CopyProtect [Protect your blog posts] Cross-Site Scripting (3.0.0)

WordPress Plugin WP Easy Slideshow Multiple Cross-Site Request Forgery Vulnerabilities (1.0.3)

Severity

Critical

Classification

CVE-2022-26148 CWE-312 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities