PT-2020-12555 · Grafana+4 · Grafana+4

Published

2020-04-01

Updated

2025-01-20

CVE-2020-11110

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Grafana versions 6.7.1 and earlier Grafana before version 6.7.2

Description The issue is related to stored XSS due to insufficient input protection in the originalUrl field. This allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

Recommendations For Grafana versions 6.7.1 and earlier, update to version 6.7.2 or later to resolve the issue. For Grafana before version 6.7.2, update to version 6.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the originalUrl field to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALSA-2020:4682

ALT-PU-2020-1966

ALT-PU-2020-2204

BIT-GRAFANA-2020-11110

CESA-2020_4682

CVE-2020-11110

ECHO-97A6-C742-2044

GHSA-XR3X-62QW-VC4W

GO-2024-2523

RHSA-2020:4682

RHSA-2020_4682

SUSE-SU-2020:2715-1

SUSE-SU-2020:2876-1

SUSE-SU-2020:2911-1

SUSE-SU-2020:3309-1

SUSE-SU-2021:1962-1

Affected Products

Alt Linux

Almalinux

Centos

Grafana

Red Hat

PT-2020-12555 · Grafana+4 · Grafana+4

CVE-2020-11110

Weakness Enumeration

Related Identifiers

Affected Products

References · 198