CVE-2020-24303
MEDIUMGrafana < 7.0.5 and >=0 < 7.1.0-beta1 - Cross-Site Scripting via ElasticSearch Datasource Query Alias
Title source: llmDescription
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
References (3)
Core 3
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01
Patch, Third Party Advisory x_refsource_misc
https://github.com/grafana/grafana/pull/25401
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20201123-0002/
Scores
CVSS v3
6.1
EPSS
0.0197
EPSS Percentile
77.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
grafana/grafana
< 7.0.5
grafana/grafana
0 - 7.1.0-beta1Go
Published
Oct 28, 2020
Tracked Since
Feb 18, 2026