CVE-2020-13430
published 2020-05-24CVE-2020-13430: Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.82%
76.0th percentile
Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 0 < 7.0.0 | 7.0.0 |
| grafana | grafana | < 7.0.0 | 7.0.0 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana
osv·2024-06-28
CVE-2020-13430 Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana
Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana
Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana before v7.0.0.
GHSA
Grafana XSS via the OpenTSDB datasource
ghsa·2022-05-24
CVE-2020-13430 [MEDIUM] CWE-79 Grafana XSS via the OpenTSDB datasource
Grafana XSS via the OpenTSDB datasource
Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.
OSV
Grafana XSS via the OpenTSDB datasource
osv·2022-05-24
CVE-2020-13430 [MEDIUM] Grafana XSS via the OpenTSDB datasource
Grafana XSS via the OpenTSDB datasource
Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.
OSV
CVE-2020-13430: Grafana before 7
osv·2020-05-24·CVSS 6.1
CVE-2020-13430 [MEDIUM] CVE-2020-13430: Grafana before 7
Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.
Red Hat
grafana: XSS via the OpenTSDB datasource
vendor_redhat·2020-05-24·CVSS 6.1
CVE-2020-13430 [MEDIUM] CWE-79 grafana: XSS via the OpenTSDB datasource
grafana: XSS via the OpenTSDB datasource
Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.
A flaw was found in grafana Tag value XSS via the OpenTSDB datasource are possible. The highest threat from this vulnerability is to data confidentiality and integrity.
Statement: Red Hat Ceph Storage (RHCS) delivers the affected code of the grafana OpenTSDB plugin. However Red Hat Ceph Storage uses the Prometheus time-series database as a default data source not the OpenTSDB, hence the impact by this vulnerability is set to low.
Red Hat Gluster Storage (RHGS) delivers the affected code of the grafana OpenTSDB plugin. However Red Hat Gluster Storage uses the Graphite as a data source not the OpenTSDB, hence the impact by this vulnerability is set to low.
Package: grafana (Red
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-13430 grafana: XSS via the OpenTSDB datasource
bugzilla·2020-06-17·CVSS 6.1
CVE-2020-13430 [MEDIUM] CVE-2020-13430 grafana: XSS via the OpenTSDB datasource
CVE-2020-13430 grafana: XSS via the OpenTSDB datasource
Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.
Reference:
https://github.com/grafana/grafana/releases/tag/v7.0.0
Upstream commit:
https://github.com/grafana/grafana/pull/24539
Discussion:
Created grafana tracking bugs for this issue:
Affects: fedora-all [bug 1848109]
---
Keeping OpenShift and ServiceMesh at Moderate, as even tho the components are behind OAuth a logged in user can still be tricked to perform XSS.
ServiceMesh packages a vulnerable version of grafana:
- ServiceMesh 1.0.x grafana v6.2.2
- ServiceMesh 1.1.x grafana v6.4.3
OpenShift packages a vulnerable version of grafana:
- OpenShift 3.11 grafana v5.4.3
- OpenShift 4.x grafana v6.5.3
---
Statement:
Red Hat Ceph Storage (RHCS) delivers
Bugzilla
CVE-2020-13430 grafana: XSS via the OpenTSDB datasource [fedora-all]
bugzilla·2020-06-17·CVSS 6.1
CVE-2020-13430 [MEDIUM] CVE-2020-13430 grafana: XSS via the OpenTSDB datasource [fedora-all]
CVE-2020-13430 grafana: XSS via the OpenTSDB datasource [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedor
https://github.com/grafana/grafana/pull/24539https://github.com/grafana/grafana/releases/tag/v7.0.0https://security.netapp.com/advisory/ntap-20200528-0003/https://github.com/grafana/grafana/pull/24539https://github.com/grafana/grafana/releases/tag/v7.0.0https://security.netapp.com/advisory/ntap-20200528-0003/
2020-05-24
Published