Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
References
Link | Resource |
---|---|
https://github.com/grafana/grafana/blob/master/CHANGELOG.md | Release Notes Third Party Advisory |
https://security.netapp.com/advisory/ntap-20200810-0002/ | Third Party Advisory |
Configurations
History
No history.
Information
Published : 2020-07-27 13:15
Updated : 2024-02-28 17:47
NVD link : CVE-2020-11110
Mitre link : CVE-2020-11110
CVE.ORG link : CVE-2020-11110
JSON object : View
Products Affected
grafana
- grafana
netapp
- e-series_performance_analyzer
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')