Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
References
Link | Resource |
---|---|
https://github.com/grafana/grafana/blob/master/CHANGELOG.md | Release Notes Third Party Advisory |
https://security.netapp.com/advisory/ntap-20200810-0002/ | Third Party Advisory |
https://github.com/grafana/grafana/blob/master/CHANGELOG.md | Release Notes Third Party Advisory |
https://security.netapp.com/advisory/ntap-20200810-0002/ | Third Party Advisory |
Configurations
History
21 Nov 2024, 04:56
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/grafana/grafana/blob/master/CHANGELOG.md - Release Notes, Third Party Advisory | |
References | () https://security.netapp.com/advisory/ntap-20200810-0002/ - Third Party Advisory |
Information
Published : 2020-07-27 13:15
Updated : 2024-11-21 04:56
NVD link : CVE-2020-11110
Mitre link : CVE-2020-11110
CVE.ORG link : CVE-2020-11110
JSON object : View
Products Affected
netapp
- e-series_performance_analyzer
grafana
- grafana
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')