First published: Mon Jun 08 2020(Updated: )
A flaw was found in grafana. A XSS via a query alias for the ElasticSearch datasource is allowed.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/grafana | <0:7.3.6-2.el8 | 0:7.3.6-2.el8 |
Grafana Grafana | <=7.0.5 | |
redhat/grafana | <7.1.0 | 7.1.0 |
go/github.com/grafana/grafana | <7.1.0-beta1 | 7.1.0-beta1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-24303 is a vulnerability in Grafana that allows for XSS (Cross-Site Scripting) attacks via a query alias for the ElasticSearch datasource.
CVE-2020-24303 has a severity rating of 6.1 (medium).
Grafana versions before 7.1.0-beta 1 are affected by CVE-2020-24303 if they allow query aliases for the ElasticSearch datasource.
To fix CVE-2020-24303, ensure that you are using Grafana version 7.1.0-beta 1 or higher.
You can find more information about CVE-2020-24303 at the following links: [CVE-2020-24303](https://www.cve.org/CVERecord?id=CVE-2020-24303), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-24303), [GitHub Issue](https://github.com/grafana/grafana/pull/25401), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1892418), [Red Hat Advisory](https://access.redhat.com/errata/RHSA-2021:1859).