Lines 1-3
Link Here
|
|
|
1 |
<vuln vid="4b478274-47a0-11ec-bd24-6c3be5272acd"> |
2 |
<topic>Grafana -- XSS</topic> |
3 |
<affects> |
4 |
<package> |
5 |
<name>grafana8</name> |
6 |
<name>grafana</name> |
7 |
<range><ge>8.0.0</ge><lt>8.2.3</lt></range> |
8 |
</package> |
9 |
</affects> |
10 |
<description> |
11 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
12 |
<p>Grafana Labs reports:</p> |
13 |
<blockquote cite="https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/"> |
14 |
<p>If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim’s browser.</p> |
15 |
<p>The user visiting the malicious link must be unauthenticated, and the link must be for a page that contains the login button in the menu bar.</p> |
16 |
<p>There are two ways an unauthenticated user can open a page in Grafana that contains the login button:</p> |
17 |
<ul> |
18 |
<li>Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.</li> |
19 |
<li>The link is to an unauthenticated page. The following pages are vulnerable: |
20 |
<ul> |
21 |
<li><code>/dashboard-solo/snapshot/*</code></li> |
22 |
<li><code>/dashboard/snapshot/*</code></li> |
23 |
<li><code>/invite/:code</code></li> |
24 |
</ul> |
25 |
</li> |
26 |
</ul> |
27 |
<p>The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: <code>{{ }}</code></p> |
28 |
<p>An example of an expression would be: <code>{{constructor.constructor(‘alert(1)’)()}}</code>. This can be included in the link URL like this:</p> |
29 |
<p><a href="https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1">https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1</a></p> |
30 |
<p>When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated, and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.</p> |
31 |
</blockquote> |
32 |
</body> |
33 |
</description> |
34 |
<references> |
35 |
<cvename>CVE-2021-41174</cvename> |
36 |
<url>https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/</url> |
37 |
</references> |
38 |
<dates> |
39 |
<discovery>2021-10-21</discovery> |
40 |
<entry>2021-11-17</entry> |
41 |
</dates> |
42 |
</vuln> |
43 |
|
1 |
<vuln vid="b8c0cbca-472d-11ec-83dc-3065ec8fd3ec"> |
44 |
<vuln vid="b8c0cbca-472d-11ec-83dc-3065ec8fd3ec"> |
2 |
<topic>chromium -- multiple vulnerabilities</topic> |
45 |
<topic>chromium -- multiple vulnerabilities</topic> |
3 |
<affects> |
46 |
<affects> |