Bug 2019952 (CVE-2021-41174) - CVE-2021-41174 grafana: XSS vulnerability on unauthenticated pages through interpolation binding expressions for AngularJS in URL
Summary: CVE-2021-41174 grafana: XSS vulnerability on unauthenticated pages through in...
Keywords:
Status: NEW
Alias: CVE-2021-41174
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2022700
Blocks: 2019953
TreeView+ depends on / blocked
 
Reported: 2021-11-03 17:08 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-03-10 13:36 UTC (History)
32 users (show)

Fixed In Version: grafana 8.2.3
Doc Type: If docs needed, set a value
Doc Text:
A cross-site scripting (XSS) vulnerability in grafana allows an attacker to execute arbitrary JavaScript code in the browser of a victim user. An attacker may send a link referencing a page where the victim is unauthenticated and contains the login button and including interpolation binding expressions (e.g. `{{` and `}}` in AngularJS) in the URL.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-11-03 17:08:34 UTC
A XSS vulnerability on unauthenticated pages was found in Grafana.

Reference:
https://www.openwall.com/lists/oss-security/2021/11/03/1

Comment 1 Riccardo Schirone 2021-11-04 10:42:32 UTC
Upstream patch:
https://github.com/grafana/grafana/compare/v8.2.2...v8.2.3


Note You need to log in before you can comment on or make changes to this bug.