Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-11110 — Cross-site Scripting in Grafana Grafana

CWE-79 — Cross-site Scripting9 documents7 sources

Severity

5.4MEDIUMNVD

EPSS

54.0%

top 1.98%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Github.com Grafana Grafana Grafana

Timeline

PublishedJul 27

Latest updateJun 28

Description

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶Gogithub.com/grafana_grafana< 6.7.2

▶NVDgrafana/grafana6.7.1

🔴Vulnerability Details

OSV

Grafana stored XSS in github.com/grafana/grafana↗2024-06-28

▶

GHSA

Grafana stored XSS↗2022-05-24

▶

OSV

Grafana stored XSS↗2022-05-24

▶

OSV

CVE-2020-11110: Grafana through 6↗2020-07-27

▶

CVEList

CVE-2020-11110: Grafana through 6↗2020-07-27

▶

💥Exploits & PoCs

Nuclei

Grafana <= 6.7.1 - Cross-Site Scripting

▶

📋Vendor Advisories

Red Hat

grafana: stored XSS↗2020-04-01

▶

💬Community

Bugzilla

CVE-2020-11110 grafana: stored XSS↗2020-07-27

▶