Bug 2019952 (CVE-2021-41174) - CVE-2021-41174 grafana: XSS vulnerability on unauthenticated pages through interpolation binding expressions for AngularJS in URL
Summary: CVE-2021-41174 grafana: XSS vulnerability on unauthenticated pages through in...
Status: NEW
Alias: CVE-2021-41174
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2022700
Blocks: 2019953
TreeView+ depends on / blocked
Reported: 2021-11-03 17:08 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-06-30 23:03 UTC (History)
31 users (show)

Fixed In Version: grafana 8.2.3
Doc Type: If docs needed, set a value
Doc Text:
A cross-site scripting (XSS) vulnerability in grafana allows an attacker to execute arbitrary JavaScript code in the browser of a victim user. An attacker may send a link referencing a page where the victim is unauthenticated and contains the login button and including interpolation binding expressions (e.g. `{{` and `}}` in AngularJS) in the URL.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-11-03 17:08:34 UTC
A XSS vulnerability on unauthenticated pages was found in Grafana.


Comment 1 Riccardo Schirone 2021-11-04 10:42:32 UTC
Upstream patch:

Note You need to log in before you can comment on or make changes to this bug.