diff --git a/010-CVE-2020-13430.patch b/010-CVE-2020-13430.patch
new file mode 100644
index 0000000..d9c3597
--- /dev/null
+++ b/010-CVE-2020-13430.patch
@@ -0,0 +1,21 @@
+diff --git a/public/app/plugins/datasource/opentsdb/query_ctrl.ts b/public/app/plugins/datasource/opentsdb/query_ctrl.ts
+index 8569de2eb0..cbb1790625 100644
+--- a/public/app/plugins/datasource/opentsdb/query_ctrl.ts
++++ b/public/app/plugins/datasource/opentsdb/query_ctrl.ts
+@@ -2,6 +2,7 @@ import _ from 'lodash';
+ import kbn from 'app/core/utils/kbn';
+ import { QueryCtrl } from 'app/plugins/sdk';
+ import { auto } from 'angular';
++import { escapeHtml } from 'app/core/utils/text';
+ 
+ export class OpenTsQueryCtrl extends QueryCtrl {
+   static templateUrl = 'partials/query.editor.html';
+@@ -90,7 +91,7 @@ export class OpenTsQueryCtrl extends QueryCtrl {
+ 
+   getTextValues(metricFindResult: any) {
+     return _.map(metricFindResult, value => {
+-      return value.text;
++      return escapeHtml(value.text);
+     });
+   }
+ 
diff --git a/grafana.spec b/grafana.spec
index fa38f0f..c0c362d 100644
--- a/grafana.spec
+++ b/grafana.spec
@@ -24,7 +24,7 @@ end}
 
 Name:             grafana
 Version:          6.7.4
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          ASL 2.0
 URL:              https://grafana.org
@@ -58,6 +58,7 @@ Patch6:           006-pkg-setting-ini-default-section.patch
 Patch7:           007-pkg-prometheus-client-query-range.patch
 Patch8:           008-pkg-services-notifications-codes-Unknwon.patch
 Patch9:           009-pkg-fix-xorm-import.patch
+Patch10:          010-CVE-2020-13430.patch
 
 # Intersection of go_arches and nodejs_arches
 ExclusiveArch:    %{grafana_arches}
@@ -631,6 +632,9 @@ export GO111MODULE=off
 
 
 %changelog
+* Wed Aug 19 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 6.7.4-2
+- security fix for CVE-2020-13430
+
 * Fri Jun 05 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 6.7.4-1
 - update to 6.7.4 tagged upstream community sources, see CHANGELOG
 - security fix for CVE-2020-13379
diff --git a/make_grafana_webpack.sh b/make_grafana_webpack.sh
index 7baf487..6f95c3d 100755
--- a/make_grafana_webpack.sh
+++ b/make_grafana_webpack.sh
@@ -26,6 +26,9 @@ git clone https://github.com/grafana/grafana grafana-$VER
 cd grafana-$VER
 git checkout -b v$VER v$VER
 
+# applying webpack patches
+patch -p1 < ../010-CVE-2020-13430.patch
+
 # exclude the phantomjs-prebuilt binary module from the webpack
 sed -i '/phantomjs-prebuilt/d' package.json
 
diff --git a/sources b/sources
index b8dbdff..2baa9e1 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 b9331a128ccb918cb3b9f8c5180eea93  grafana-6.7.4.tar.gz
-5bdff3edbc6d875600b9c61fb5055f07  grafana_webpack-6.7.4.tar.gz
+91f7f66148b5e4c24890c47b85f223e3  grafana_webpack-6.7.4.tar.gz