Description

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

Remediation

References

CVE-2020-11110

Related Vulnerabilities

Magento Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-8148)

WordPress Plugin ImageInject Multiple Vulnerabilities (1.15)

WordPress Plugin TaxoPress-Create and Manage Taxonomies, Tags, Categories Cross-Site Scripting (3.0.7.1)

Oracle Database Server Deserialization of Untrusted Data Vulnerability (CVE-2018-14719)

WordPress Plugin All in One SEO-Best WordPress SEO-Easily Improve SEO Rankings & Increase Traffic Cross-Site Scripting (2.0.3)

Severity

Medium

Classification

CVE-2020-11110 CWE-707 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities