CVE-2020-11110: Grafana stored XSS
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.98469%
CWE
Published
5/24/2022
Updated
8/7/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/grafana/grafana | go | <= 6.7.1 | 6.7.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from dashboard snapshot originalUrl values being rendered without sanitization in href attributes. The commit fb114a7 specifically added sanitizeUrl()
to the snapshotUrl
usage in DashNav.tsx
, indicating this was the vulnerable path. The lack of URL sanitization in the original code allowed execution of arbitrary JavaScript through crafted URLs.