cbcvebase.
CVE-2020-11110
published 2020-07-27

CVE-2020-11110: Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that…

PriorityP338medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
9.62%
94.9th percentile
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comgrafana_grafana>= 0 < 6.7.26.7.2
grafanagrafana<= 6.7.1

Detection & IOCsextracted from sources · hover to see the quote

url/api/snapshots
commandjavascript:alert('Revers3c')
  • POST request to /api/snapshots with a JSON body containing a 'snapshot.originalUrl' field set to a javascript: URI is the attack vector for CVE-2020-11110 stored XSS.
  • Inspect snapshot creation requests for a 'snapshot.originalUrl' value beginning with 'javascript:' — this is the injected XSS payload field.
  • Response Content-Type header of 'application/json' combined with 'deleteKey' and 'deleteUrl' in the body confirms a snapshot was successfully created (and the payload stored).
  • The snapshot URL returned in the response body can be extracted with the regex '"url":"([a-z:/0-9A-Z]+)"' to identify the stored XSS delivery link.
  • Upstream fix is in commit fb114a75241aaef4c08581b42509c750738b768a; instances running Grafana <= 6.7.1 without this patch are vulnerable.
  • ·OpenShift 3.11 and 4.x grafana-container instances are affected but exploitation is blocked because the grafana instance is set to read-only (originalUrl field cannot be modified) and access requires admin permissions via OpenShift OAuth proxy.
  • ·OpenShift Service Mesh 1 packages grafana v6.4.3 (vulnerable) in openshift-service-mesh/grafana-rhel8 and is marked 'Will not fix'.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv5.4MEDIUM
vendor_redhat5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.