CVE-2020-11110
MEDIUM NUCLEIGrafana < 6.7.1 - Stored Cross-Site Scripting via OriginalUrl Field
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2020-11110. PoCs published by AVE-Stoik. A Nuclei detection template is also available.
Description
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
Exploits (1)
nomisec
NO CODE
2 stars
by AVE-Stoik · poc
https://github.com/AVE-Stoik/CVE-2020-11110-Proof-of-Concept
Nuclei Templates (1)
Grafana <= 6.7.1 - Cross-Site Scripting
MEDIUMby emadshanab
Shodan:
title:"Grafana" || cpe:"cpe:2.3:a:grafana:grafana" || http.title:"grafana"
FOFA:
title="grafana" || app="grafana"
References (2)
Core 2
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/grafana/grafana/blob/master/CHANGELOG.md
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200810-0002/
Scores
CVSS v3
5.4
EPSS
0.5402
EPSS Percentile
98.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
grafana/grafana
< 6.7.1
grafana/grafana
0 - 6.7.2Go
netapp/e-series_performance_analyzer
Published
Jul 27, 2020
Tracked Since
Feb 18, 2026