Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
References
Link | Resource |
---|---|
https://github.com/grafana/grafana/blob/master/CHANGELOG.md | Release Notes Third Party Advisory |
https://security.netapp.com/advisory/ntap-20200810-0002/ | Third Party Advisory |
Configurations
History
10 Feb 2023, 18:04
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20200810-0002/ - Third Party Advisory | |
CPE | cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 3.5
v3 : 5.4 |
First Time |
Netapp
Netapp e-series Performance Analyzer |
Information
Published : 2020-07-27 13:15
Updated : 2023-12-10 13:27
NVD link : CVE-2020-11110
Mitre link : CVE-2020-11110
CVE.ORG link : CVE-2020-11110
JSON object : View
Products Affected
netapp
- e-series_performance_analyzer
grafana
- grafana
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')