Description

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

Remediation

References

CVE-2020-11110

Related Vulnerabilities

IBM RTC Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Vulnerability (CVE-2016-0325)

MySQL CVE-2014-4233 Vulnerability (CVE-2014-4233)

WordPress Plugin Insert or Embed Articulate Content into WordPress Unspecified Vulnerability (4.299993)

WordPress Plugin Fourteen Extended Cross-Site Scripting (1.2.31)

WordPress Plugin wpCentral Security Bypass (1.4.7)

Severity

Medium

Classification

CVE-2020-11110 CWE-707 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Tags

Missing Update Known Vulnerabilities