Home

CVE-2020-11110

Description

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

Risk Information

Base Score
5.4
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
69.279

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2020-11110,CVE-2020-24303 are affected in GrafanaEnterprise 1.2.1Windows
Grafana update (ELSA-2020-4682) grafana-6.7.4-3.el8.x86_64.rpmLinux
Grafana-azure-monitor update (ELSA-2020-4682) grafana-azure-monitor-6.7.4-3.el8.x86_64.rpmLinux
Grafana-cloudwatch update (ELSA-2020-4682) grafana-cloudwatch-6.7.4-3.el8.x86_64.rpmLinux
Grafana-elasticsearch update (ELSA-2020-4682) grafana-elasticsearch-6.7.4-3.el8.x86_64.rpmLinux
Grafana-graphite update (ELSA-2020-4682) grafana-graphite-6.7.4-3.el8.x86_64.rpmLinux
Grafana-influxdb update (ELSA-2020-4682) grafana-influxdb-6.7.4-3.el8.x86_64.rpmLinux
Grafana-loki update (ELSA-2020-4682) grafana-loki-6.7.4-3.el8.x86_64.rpmLinux
Grafana-mssql update (ELSA-2020-4682) grafana-mssql-6.7.4-3.el8.x86_64.rpmLinux
Grafana-mysql update (ELSA-2020-4682) grafana-mysql-6.7.4-3.el8.x86_64.rpmLinux
Grafana-opentsdb update (ELSA-2020-4682) grafana-opentsdb-6.7.4-3.el8.x86_64.rpmLinux
Grafana-postgres update (ELSA-2020-4682) grafana-postgres-6.7.4-3.el8.x86_64.rpmLinux
Grafana-prometheus update (ELSA-2020-4682) grafana-prometheus-6.7.4-3.el8.x86_64.rpmLinux
Grafana-stackdriver update (ELSA-2020-4682) grafana-stackdriver-6.7.4-3.el8.x86_64.rpmLinux

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-335779GrafanaEnterprise (10.3.1)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234