.. / CVE-2020-11110

Exploit for Grafana <= 6.7.1 - Cross-Site Scripting (CVE-2020-11110)

Description:

Grafana through 6.7.1 contains an unauthenticated stored cross-site scripting vulnerability due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

Nuclei Template

View the template here CVE-2020-11110.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2020/CVE-2020-11110.yaml

References:

https://github.com/grafana/grafana/pull/23254
https://github.com/grafana/grafana/blob/master/CHANGELOG.md
https://nvd.nist.gov/vuln/detail/CVE-2020-11110
https://hackerone.com/reports/1329433
https://security.netapp.com/advisory/ntap-20200810-0002/

.. / CVE-2020-11110 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for Grafana <= 6.7.1 - Cross-Site Scripting (CVE-2020-11110)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2020-11110