Description

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

Remediation

References

CVE-2020-11110

Related Vulnerabilities

Magento Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2019-7873)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-3732)

Undertow Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2014-7816)

WordPress Plugin Image Gallery-Responsive Photo Gallery Cross-Site Scripting (1.7.0)

WordPress Plugin Nelio AB Testing Directory Traversal (4.4.4)

Severity

Medium

Classification

CVE-2020-11110 CWE-707 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities