2019952 – (CVE-2021-41174) CVE-2021-41174 grafana: XSS vulnerability on unauthenticated pages through interpolation binding expressions for AngularJS in URL

Bug 2019952 (CVE-2021-41174) - CVE-2021-41174 grafana: XSS vulnerability on unauthenticated pages through interpolation binding expressions for AngularJS in URL

Summary: CVE-2021-41174 grafana: XSS vulnerability on unauthenticated pages through in...

Keywords:
Status:	NEW
Alias:	CVE-2021-41174
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2022700
Blocks:	2019953
TreeView+	depends on / blocked

Reported:	2021-11-03 17:08 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-10-25 17:21 UTC (History)
CC List:	29 users (show)
Fixed In Version:	grafana 8.2.3
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-11-03 17:08:34 UTC

A XSS vulnerability on unauthenticated pages was found in Grafana.

Reference:
https://www.openwall.com/lists/oss-security/2021/11/03/1

Comment 1 Riccardo Schirone 2021-11-04 10:42:32 UTC

Upstream patch:
https://github.com/grafana/grafana/compare/v8.2.2...v8.2.3

Comment 4 Riccardo Schirone 2021-11-04 10:46:44 UTC

Upstream advisory:
https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/

Note You need to log in before you can comment on or make changes to this bug.

agerstmayr
anharris
anpicker
aos-bugs
bmontgom
bniver
eparis
flucifre
gmeno
gparvin
grafana-maint
hvyas
jburrell
jkurik
jwendell
mbenjamin
mhackett
nathans
nstielau
pahickey
puebele
rcernich
sostapov
spasquie
sponnaga
stcannon
twalsh
vereddy
vkumar