Data source credentials exposed in the fronted HTML code

Hi All,

I have found a vulnerability that you view the frontend code (HTML Code) it’s exposing the data source credentials (in my use case I am using 5 Zabbix sources) in clear text.

Steps to reproduce -
Right-click on the front end page > View page source

Opening this new topic as I couldn’t find a similar thread in the forum.

Thank you.

I guess, you are using Zabbix datasource with direct access mode = browser (Grafana frontend) makes connection to the Zabbix => browser must know Zabbix credentials.
Try to switch to proxy mode = Grafana binary will make connection to the Zabbix.
IMHO not a bug, but it’s a feature.

But also none of those application use direct access mode. All of them use an approach, which is alrwady implemented in Grafana as a proxy mode.

My question: are you using access mode? Do you see the same problem in the proxy mode?