Vulnerability Name:

CVE-2020-11110 (CCN-185816)

Assigned:2020-03-30
Published:2020-03-30
Updated:2023-02-10
Summary:Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
CVSS v3 Severity:5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
4.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2020-11110

Source: XF
Type: UNKNOWN
grafana-cve202011110-xss(185816)

Source: CCN
Type: Grafana GIT Repository
grafana

Source: CCN
Type: Grafana GIT Repository
Grafana

Source: cve@mitre.org
Type: Release Notes, Third Party Advisory
cve@mitre.org

Source: CCN
Type: Grafana Web site
Grafana

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:grafana:grafana:5.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:grafana:grafana:5.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:grafana:grafana:4.6.3:*:*:*:*:*:*:*
  • OR cpe:/a:grafana:grafana:5.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:grafana:grafana:5.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:grafana:grafana:6.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:grafana:grafana:6.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:grafana:grafana:6.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:grafana:grafana:5.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:grafana:grafana:6.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:grafana:grafana:5.3.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:202011110
    V
    		CVE-2020-11110
    2022-05-22
    oval:org.opensuse.security:def:58038
    P
    		Security update for qemu (Important)
    2021-11-10
    oval:org.opensuse.security:def:63205
    P
    		gnuplot-5.2.2-3.3.29 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:63204
    P
    		freeradius-server-3.0.16-3.3.1 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:61677
    P
    		xdg-utils-20170508-3.2 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:61654
    P
    		shim-15+git47-1.5 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:61653
    P
    		sharutils-4.15.2-2.21 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:60340
    P
    		Security update for openssl-1_1 (Important)
    2021-08-24
    oval:org.opensuse.security:def:63336
    P
    		libcacard-devel-2.5.3-1.27 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63496
    P
    		libsybdb5-1.1.36-3.3.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63471
    P
    		flac-1.3.2-3.6.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63443
    P
    		libxslt1-32bit-1.1.32-3.8.24 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63437
    P
    		libsndfile1-32bit-1.0.28-5.5.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63102
    P
    		reiserfs-kmp-default-5.3.18-57.3 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:62313
    P
    		python3-waitress-1.4.3-3.3.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62753
    P
    		gnome-shell-3.34.5-8.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62119
    P
    		libXRes1-1.2.0-1.18 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62211
    P
    		libruby2_5-2_5-2.5.9-4.17.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:57479
    P
    		Security update for systemd (Important)
    2021-07-21
    oval:org.opensuse.security:def:88141
    P
    		Security update for ardana-neutron, ardana-swift, cassandra, crowbar-openstack, grafana, kibana, openstack-dashboard, openstack-ironic, openstack-neutron, openstack-neutron-gbp, openstack-nova, python-Django1, python-py, python-pysaml2, python-xmlschema, rubygem-activerecord-session_store, venv-openstack-keystone (Moderate)
    2021-06-11
    oval:org.opensuse.security:def:88454
    P
    		Security update for ardana-neutron, ardana-swift, cassandra, crowbar-openstack, grafana, kibana, openstack-dashboard, openstack-ironic, openstack-neutron, openstack-neutron-gbp, openstack-nova, python-Django1, python-py, python-pysaml2, python-xmlschema, rubygem-activerecord-session_store, venv-openstack-keystone (Moderate)
    2021-06-11
    oval:org.opensuse.security:def:63546
    P
    		libmwaw-0_3-3-0.3.13-2.25 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:57930
    P
    		Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)
    2021-06-04
    oval:org.opensuse.security:def:63074
    P
    		libopenssl-1_0_0-devel-1.0.2p-3.14.2 on GA media (Moderate)
    2021-04-29
    oval:org.opensuse.security:def:59856
    P
    		Security update for python-cryptography (Important)
    2021-03-02
    oval:org.opensuse.security:def:60456
    P
    		Security update for tomcat (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:60300
    P
    		Security update for postgresql, postgresql12, postgresql13 (Important)
    2021-01-26
    oval:org.opensuse.security:def:61058
    P
    		Security update for openexr (Moderate)
    2020-12-23
    oval:org.opensuse.security:def:62972
    P
    		perl-Archive-Extract-0.80-1.24 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62407
    P
    		gcab-1.1-1.15 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:61846
    P
    		libmspack-devel-0.6-3.8.19 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63308
    P
    		uuidd-2.33.1-4.5.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63581
    P
    		imobiledevice-tools-1.2.0+git20170122.45fda81-1.44 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62443
    P
    		libgypsy-devel-0.9-2.30 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63298
    P
    		rarpd-s20161105-6.10 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:61766
    P
    		hardlink-1.0+git.e66999f-1.25 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:61937
    P
    		pam_ssh-2.1-2.27 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:61743
    P
    		fuse-2.9.7-3.3.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63387
    P
    		apache-commons-beanutils-1.9.2-2.46 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62539
    P
    		libXi6-32bit-1.7.9-1.23 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63404
    P
    		apache-commons-beanutils-1.9.4-1.68 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:61742
    P
    		freetype2-devel-2.10.1-4.3.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62653
    P
    		libSoundTouch0-1.8.0-3.11.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:57200
    P
    		Security update for compat-openssl097g
    2020-12-01
    oval:org.opensuse.security:def:60634
    P
    		Security update for openssl (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56822
    P
    		Security update for ghostscript (Important)
    2020-12-01
    oval:org.opensuse.security:def:60600
    P
    		Security update for postgresql10 (Important)
    2020-12-01
    oval:org.opensuse.security:def:57645
    P
    		Security update for tiff (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:61028
    P
    		Security update for java-1_8_0-openjdk (Important)
    2020-12-01
    oval:org.opensuse.security:def:58242
    P
    		Security update for sssd (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56962
    P
    		Security update for freerdp (Important)
    2020-12-01
    oval:org.opensuse.security:def:56800
    P
    		Security update for qemu (Important)
    2020-12-01
    oval:org.opensuse.security:def:60711
    P
    		Security update for java-1_7_1-ibm (Important)
    2020-12-01
    oval:org.opensuse.security:def:60111
    P
    		Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP2) (Important)
    2020-12-01
    oval:org.opensuse.security:def:60899
    P
    		Security update for mariadb (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:58130
    P
    		Security update for python-Pillow (Important)
    2020-12-01
    oval:org.opensuse.security:def:56799
    P
    		Security update for ucode-intel (Important)
    2020-12-01
    oval:org.opensuse.security:def:60041
    P
    		Security update for bash (Important)
    2020-12-01
    oval:org.opensuse.security:def:60672
    P
    		Security update for python-PyKMIP (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:60718
    P
    		Security update for python3-requests (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:60978
    P
    		Security update for java-1_8_0-ibm (Important)
    2020-12-01
    oval:org.opensuse.security:def:58323
    P
    		Security update for xorg-x11-server (Important)
    2020-12-01
    oval:org.opensuse.security:def:60552
    P
    		sysvinit-tools on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:60790
    P
    		Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift (Important)
    2020-12-01
    oval:org.opensuse.security:def:60937
    P
    		Security update for galera-3, mariadb, mariadb-connector-c (Important)
    2020-12-01
    oval:org.opensuse.security:def:58204
    P
    		Security update for clamav (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:60761
    P
    		Security update for java-1_8_0-openjdk (Important)
    2020-12-01
    oval:org.opensuse.security:def:57373
    P
    		Security update for icedtea-web
    2020-12-01
    oval:org.opensuse.security:def:60815
    P
    		Security update for python3 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:58273
    P
    		Security update for python (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:58348
    P
    		Security update for qemu (Moderate)
    2020-11-29
    oval:org.opensuse.security:def:84511
    P
    		Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift (Important)
    2020-11-12
    oval:org.opensuse.security:def:84056
    P
    		Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift (Important)
    2020-11-12
    oval:com.redhat.rhsa:def:20204682
    P
    		RHSA-2020:4682: grafana security, bug fix, and enhancement update (Moderate)
    2020-11-04
    BACK
    grafana grafana 5.1.3
    grafana grafana 5.2.2
    grafana grafana 4.6.3
    grafana grafana 5.3.2
    grafana grafana 5.2.4
    grafana grafana 6.2.4
    grafana grafana 6.3.2
    grafana grafana 6.3.3
    grafana grafana 5.4.0
    grafana grafana 6.3.6
    grafana grafana 5.3.1