CVE-2018-9090
MEDIUMCoreOS Tectonic 1.7.1-tectonic.1-1.8.7-tectonic.2 - Cross-Site Scripting via Grafana Default Credentials
Title source: llmDescription
CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Grafana web application using default credentials (admin/admin) for the administrator account located at grafana-credentials secret. This occurs because CoreOS does not randomize the administrative password to later be configured by Tectonic administrators. An attacker can insert an XSS payload into the dashboards.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://coreos.com/tectonic/releases/
Release Notes, Vendor Advisory x_refsource_misc
https://coreos.com/tectonic/releases/#1.8.7-tectonic.2
Scores
CVSS v3
6.1
EPSS
0.0023
EPSS Percentile
45.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
redhat/tectonic
1.7.1-tectonic.1 - 1.8.7-tectonic.2
Published
Sep 24, 2019
Tracked Since
Feb 18, 2026