CVE-2020-11110
published 2020-07-27CVE-2020-11110: Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that…
PriorityP338medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
9.62%
94.9th percentile
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 0 < 6.7.2 | 6.7.2 |
| grafana | grafana | <= 6.7.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/api/snapshots
commandjavascript:alert('Revers3c')
- →POST request to /api/snapshots with a JSON body containing a 'snapshot.originalUrl' field set to a javascript: URI is the attack vector for CVE-2020-11110 stored XSS.
- →Inspect snapshot creation requests for a 'snapshot.originalUrl' value beginning with 'javascript:' — this is the injected XSS payload field. ↗
- →Response Content-Type header of 'application/json' combined with 'deleteKey' and 'deleteUrl' in the body confirms a snapshot was successfully created (and the payload stored).
- →The snapshot URL returned in the response body can be extracted with the regex '"url":"([a-z:/0-9A-Z]+)"' to identify the stored XSS delivery link.
- →Upstream fix is in commit fb114a75241aaef4c08581b42509c750738b768a; instances running Grafana <= 6.7.1 without this patch are vulnerable. ↗
- ·OpenShift 3.11 and 4.x grafana-container instances are affected but exploitation is blocked because the grafana instance is set to read-only (originalUrl field cannot be modified) and access requires admin permissions via OpenShift OAuth proxy. ↗
- ·OpenShift Service Mesh 1 packages grafana v6.4.3 (vulnerable) in openshift-service-mesh/grafana-rhel8 and is marked 'Will not fix'. ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv5.4MEDIUM
vendor_redhat5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana stored XSS in github.com/grafana/grafana
osv·2024-06-28
CVE-2020-11110 Grafana stored XSS in github.com/grafana/grafana
Grafana stored XSS in github.com/grafana/grafana
Grafana stored XSS in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana before v6.7.2.
GHSA
Grafana stored XSS
ghsa·2022-05-24
CVE-2020-11110 [MEDIUM] CWE-79 Grafana stored XSS
Grafana stored XSS
Grafana through 6.7.1 allows stored XSS.
OSV
Grafana stored XSS
osv·2022-05-24
CVE-2020-11110 [MEDIUM] Grafana stored XSS
Grafana stored XSS
Grafana through 6.7.1 allows stored XSS.
OSV
CVE-2020-11110: Grafana through 6
osv·2020-07-27·CVSS 5.4
CVE-2020-11110 [MEDIUM] CVE-2020-11110: Grafana through 6
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
Red Hat
grafana: stored XSS
vendor_redhat·2020-04-01·CVSS 5.4
CVE-2020-11110 [MEDIUM] CWE-79 grafana: stored XSS
grafana: stored XSS
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
A flaw was found in grafana. The lack of URL sanitizing allows for stored XSS.
Statement: Both OpenShift 3.11 and 4.x grafana-container's package a vulnerable version of grafana. However the grafana instance is set to read-only meaning that the potential XSS attack cannot be performed because the original url field cannot be modified. Access to the grafana panel is additionally behind OpenShift OAuth proxy and requires admin permissions.
As OpenShift still packages the vulnerable code, the components are affected but the imp
No detection rules found.
Nuclei
Grafana <= 6.7.1 - Cross-Site Scripting
nuclei·CVSS 5.4
CVE-2020-11110 [MEDIUM] Grafana <= 6.7.1 - Cross-Site Scripting
Grafana <= 6.7.1 - Cross-Site Scripting
Grafana through 6.7.1 contains an unauthenticated stored cross-site scripting vulnerability due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
Template:
id: CVE-2020-11110
info:
name: Grafana <= 6.7.1 - Cross-Site Scripting
author: emadshanab
severity: medium
description: Grafana through 6.7.1 contains an unauthenticated stored cross-site scripting vulnerability due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
impact: |
Successful exploit
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2020-11110 grafana: stored XSS
bugzilla·2020-07-27·CVSS 5.4
CVE-2020-11110 [MEDIUM] CVE-2020-11110 grafana: stored XSS
CVE-2020-11110 grafana: stored XSS
Grafana through 6.7.1 allows stored XSS.
Reference:
https://github.com/grafana/grafana/blob/master/CHANGELOG.md#672-2020-04-02
Discussion:
Upstream patch: https://github.com/grafana/grafana/commit/fb114a75241aaef4c08581b42509c750738b768a
---
Statement:
Both OpenShift 3.11 and 4.x grafana-container's package a vulnerable version of grafana. However the grafana instance is set to read-only meaning that the potential XSS attack cannot be performed because the original url field cannot be modified. Access to the grafana panel is additionally behind OpenShift OAuth proxy and requires admin permissions.
As OpenShift still packages the vulnerable code, the components are affected but the impact is Low.
---
OpenShift ServiceMesh packages a vulnerable ver
2020-07-27
Published