macabu

5 exploits Active since Apr 2020
CVE-2020-11110 WRITEUP MEDIUM WRITEUP
Grafana < 6.7.1 - Stored Cross-Site Scripting via OriginalUrl Field
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
CVSS 5.4
CVE-2021-27358 WRITEUP HIGH WRITEUP
Grafana 6.7.3-7.4.1 - Unauthenticated Denial of Service via Snapshot API
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
CVSS 7.5
CVE-2020-12245 WRITEUP MEDIUM WRITEUP
Grafana < 6.7.3 - Cross-Site Scripting via Table Panel Column Title or Cell Link Tooltip
Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.
CVSS 6.1
CVE-2020-24303 WRITEUP MEDIUM WRITEUP
Grafana < 7.0.5 and >=0 < 7.1.0-beta1 - Cross-Site Scripting via ElasticSearch Datasource Query Alias
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
CVSS 6.1
CVE-2021-27358 WRITEUP HIGH WRITEUP
Grafana 6.7.3-7.4.1 - Unauthenticated Denial of Service via Snapshot API
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
CVSS 7.5