CVE-2020-11110

MEDIUM NUCLEI

Grafana <6.7.1 - XSS

Title source: llm

Description

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

Exploits (1)

nomisec NO CODE 2 stars

by AVE-Stoik · poc

https://github.com/AVE-Stoik/CVE-2020-11110-Proof-of-Concept

View Code ZIP pw:eip

Nuclei Templates (1)

Grafana <= 6.7.1 - Cross-Site Scripting

MEDIUMby emadshanab

Shodan: title:"Grafana" || cpe:"cpe:2.3:a:grafana:grafana" || http.title:"grafana"

FOFA: title="grafana" || app="grafana"

References (2)

[Release Notes, Third Party Advisory] https://github.com/grafana/grafana/blob/master/CHANGELOG.md

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20200810-0002/

Scores

CVSS v3 5.4

EPSS 0.5402

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (3)

grafana/grafana < 6.7.1

grafana/grafana 0 - 6.7.2Go

netapp/e-series_performance_analyzer

Published Jul 27, 2020

Tracked Since Feb 18, 2026