Description
An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.
Remediation
References
Related Vulnerabilities
Django Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-0483)
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2016-2190)
WordPress Plugin WP Google Review Slider Cross-Site Scripting (11.5)
Apache Tomcat Exposure of Resource to Wrong Sphere Vulnerability (CVE-2017-5648)