Miggo Logo
Miggo Vulnerability Database
CVE-2020-24303

CVE-2020-24303: Grafana XSS via a query alias for the ElasticSearch datasource

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-24303
GHSA ID
GHSA-mvpr-q6rh-8vrp
EPSS Score
0.73341%
CWE
CWE-79
Published
5/24/2022
Updated
8/7/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/grafana/grafanago< 7.1.0-beta17.1.0-beta1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from unvalidated/unescaped user input in query alias fields being processed by AngularJS templates. The bs-typeahead directive's handling of options array allowed JS execution. The patch (#25401) specifically added validation to these alias fields and escaping during rendering. The CHANGELOG and commit messages confirm these were the vulnerable areas.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*r***n* ***or* *.*.*-**t* * *llows XSS vi* * qu*ry *li*s *or t** *l*sti*S**r** **t*sour**.

Reasoning

T** vuln*r**ility st*mm** *rom unv*li**t**/un*s**p** us*r input in qu*ry *li*s *i*l*s **in* pro**ss** *y *n*ul*rJS t*mpl*t*s. T** `*s-typ******` *ir**tiv*'s **n*lin* o* options *rr*y *llow** JS *x**ution. T** p*t** (#*****) sp**i*i**lly ***** `v*li**