View | Details | Raw Unified | Return to bug 259638 | Differences between
and this patch

Collapse All | Expand All

(-)b/security/vuxml/vuln-2021.xml (+43 lines)
Lines 1-3 Link Here
1
  <vuln vid="4b478274-47a0-11ec-bd24-6c3be5272acd">
2
    <topic>Grafana -- XSS</topic>
3
    <affects>
4
      <package>
5
	<name>grafana8</name>
6
	<name>grafana</name>
7
	<range><ge>8.0.0</ge><lt>8.2.3</lt></range>
8
      </package>
9
    </affects>
10
    <description>
11
      <body xmlns="http://www.w3.org/1999/xhtml">
12
	<p>Grafana Labs reports:</p>
13
	<blockquote cite="https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/">
14
	  <p>If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim’s browser.</p>
15
	  <p>The user visiting the malicious link must be unauthenticated, and the link must be for a page that contains the login button in the menu bar.</p>
16
	  <p>There are two ways an unauthenticated user can open a page in Grafana that contains the login button:</p>
17
	  <ul>
18
	    <li>Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.</li>
19
	    <li>The link is to an unauthenticated page. The following pages are vulnerable:
20
	      <ul>
21
		<li><code>/dashboard-solo/snapshot/*</code></li>
22
		<li><code>/dashboard/snapshot/*</code></li>
23
		<li><code>/invite/:code</code></li>
24
	      </ul>
25
	    </li>
26
	  </ul>
27
	  <p>The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: <code>{{ }}</code></p>
28
	  <p>An example of an expression would be: <code>{{constructor.constructor(‘alert(1)’)()}}</code>. This can be included in the link URL like this:</p>
29
	  <p><a href="https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1">https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1</a></p>
30
	  <p>When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated, and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.</p>
31
	</blockquote>
32
      </body>
33
    </description>
34
    <references>
35
      <cvename>CVE-2021-41174</cvename>
36
      <url>https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/</url>
37
    </references>
38
    <dates>
39
      <discovery>2021-10-21</discovery>
40
      <entry>2021-11-17</entry>
41
    </dates>
42
  </vuln>
43
1
  <vuln vid="b8c0cbca-472d-11ec-83dc-3065ec8fd3ec">
44
  <vuln vid="b8c0cbca-472d-11ec-83dc-3065ec8fd3ec">
2
    <topic>chromium -- multiple vulnerabilities</topic>
45
    <topic>chromium -- multiple vulnerabilities</topic>
3
    <affects>
46
    <affects>

Return to bug 259638