CVE-2020-24303
published 2020-10-28CVE-2020-24303: Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.97%
77.9th percentile
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 0 < 7.1.0-beta1 | 7.1.0-beta1 |
| grafana | grafana | <= 7.0.5 | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana
osv·2024-06-28
CVE-2020-24303 Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana
Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana
Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana before v7.1.0-beta1.
OSV
Grafana XSS via a query alias for the ElasticSearch datasource
osv·2022-05-24
CVE-2020-24303 [MEDIUM] Grafana XSS via a query alias for the ElasticSearch datasource
Grafana XSS via a query alias for the ElasticSearch datasource
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
GHSA
Grafana XSS via a query alias for the ElasticSearch datasource
ghsa·2022-05-24
CVE-2020-24303 [MEDIUM] CWE-79 Grafana XSS via a query alias for the ElasticSearch datasource
Grafana XSS via a query alias for the ElasticSearch datasource
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
OSV
CVE-2020-24303: Grafana before 7
osv·2020-10-28·CVSS 6.1
CVE-2020-24303 [MEDIUM] CVE-2020-24303: Grafana before 7
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
Red Hat
grafana: XSS via a query alias for the Elasticsearch and Testdata datasource
vendor_redhat·2020-06-08·CVSS 6.1
CVE-2020-24303 [MEDIUM] CWE-79 grafana: XSS via a query alias for the Elasticsearch and Testdata datasource
grafana: XSS via a query alias for the Elasticsearch and Testdata datasource
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
A flaw was found in grafana. A XSS via a query alias for the ElasticSearch datasource is allowed.
Statement: A vulnerable version of Grafana is shipped in OpenShift 3.11 - 4.5 and OpenShift ServiceMesh, however Prometheus is used as a data source and modification to Elasticsearch or Testdata requires full control of the grafana component. Access is restricted to authenticated users only by OpenShift OAuth. As OpenShift and OpenShift ServiceMesh still packages the vulnerable code, the components are affected but with impact Low. OpenShift 4.6 uses version 7.2.0 of Grafana in openshift4/ose-grafana-container and is not affe
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-24303 grafana: XSS via a query alias for the Elasticsearch and Testdata datasource
bugzilla·2020-10-28·CVSS 6.1
CVE-2020-24303 [MEDIUM] CVE-2020-24303 grafana: XSS via a query alias for the Elasticsearch and Testdata datasource
CVE-2020-24303 grafana: XSS via a query alias for the Elasticsearch and Testdata datasource
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
References:
https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01
https://github.com/grafana/grafana/pull/25401
Discussion:
Created grafana tracking bugs for this issue:
Affects: fedora-all [bug 1892419]
---
Upstream fix pr:
https://github.com/grafana/grafana/pull/25401
---
External References:
https://github.com/grafana/grafana/pull/25401
---
Statement:
A vulnerable version of Grafana is shipped in OpenShift 3.11 - 4.5 and OpenShift ServiceMesh, however Prometheus is used as a data source and modification to Elasticsearch or Testdata requires full control of the grafan
Bugzilla
CVE-2020-24303 grafana: XSS via a query alias for the Elasticsearch and Testdata datasource [fedora-all]
bugzilla·2020-10-28·CVSS 6.1
CVE-2020-24303 [MEDIUM] CVE-2020-24303 grafana: XSS via a query alias for the Elasticsearch and Testdata datasource [fedora-all]
CVE-2020-24303 grafana: XSS via a query alias for the Elasticsearch and Testdata datasource [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01https://github.com/grafana/grafana/pull/25401https://security.netapp.com/advisory/ntap-20201123-0002/https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01https://github.com/grafana/grafana/pull/25401https://security.netapp.com/advisory/ntap-20201123-0002/
2020-10-28
Published