Session Hijacking

Hi All,

Grafana 6.7.4 is tested for vulnerability and our team has come up with a high-risk item of session hijacking.

VA Team logins to Grafana and take the grafana_session value from cookie and able to login from another system with the same session value.

Do Grafana provide any solution for restricting the session to one system/browser? Or new session shouldn’t be created with the hijacked session value

Thanks,
Goushik Murugesan

1 Like