Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html
https://github.com/grafana/grafana/blob/master/CHANGELOG.md#673-2020-04-23