CVE-2018-9090

Name of the Vulnerable Software and Affected Versions: CoreOS Tectonic versions 1.7.x through 1.8.6

Description: The issue arises because CoreOS Tectonic deploys the Grafana web application with default credentials, specifically admin/admin, for the administrator account. This default credential setup is located in the grafana-credentials secret. Since CoreOS does not randomize the administrative password, it remains unchanged until configured by Tectonic administrators. An attacker can exploit this by inserting an XSS payload into the dashboards.

Recommendations: For CoreOS Tectonic versions 1.7.x through 1.8.6, update to version 1.8.7-tectonic.2 or later to resolve the issue. As a temporary workaround, consider changing the default administrator credentials admin/admin to a secure password to minimize the risk of exploitation. Restrict access to the Grafana web application until the update is applied.