‘Grafana Ghost’ XSS flaw exposes 47,000 servers to account takeover

From open-redirect to plugin-powered takeover

Based on the PoC shared by OX Security, the exploit leverages a clever combo of client-side path traversal and open-redirect mechanics in Grafana’s staticHandler, the component responsible for serving static files like HTML, CSS, JavaScript, and images from the server to the user’s browser.

A potential attack can have a crafted URL sent to the victim, which takes them to a malicious domain. Once there, users are tricked into loading an unsigned, rogue Grafana plugin without the attacker requiring any editor or admin rights.

Once the plugin loads, it runs attacker-controlled JavaScripts in the victim’s browser, potentially leading to session hijacks, credential theft, creation of admin logins, and modification of dashboards.

Additionally, a server-side request forgery (SSRF) escalation for full-read abuse is possible. “This vulnerability does not require editor permissions, and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF,” the Grafana advisory added. Upgrading to fixed Grafana versions is recommended to completely mitigate the issue against N-day attacks.

What's Hot

Elon Musk’s last co-founder reportedly leaves xAI

From Moon hotels to cattle herding: 8 startups investors chased at YC Demo Day

Aetherflux reportedly raising Series B at $2 billion valuation

AI is becoming introspective – and that ‘should be monitored carefully,’ warns Anthropic

Perplexity’s new AI tool lets you search patents with natural language – and it’s free

Are laser-powered tape measures legit? It took just minutes to make me a believer

College social app Fizz expands into grocery delivery

A Former Apple Luminary Sets Out to Create the Ultimate GPU Software

The Reason Murderbot’s Tone Feels Off

Most Popular