漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Grafana vulnerable to spoofing originalUrl of snapshots
Vulnerability Description
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Grafana 跨站脚本漏洞
Vulnerability Description
Grafana是Grafana开源的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。 Grafana 8.5.16之前的8.x版本和9.2.8之前的9.x版本存在跨站脚本漏洞,该漏洞源于恶意用户可以创建快照并通过编辑查询任意选择originalUrl参数,当另一个用户打开快照的URL时,他们将看到由受信任的Grafana服务器提供的常规Web界面,“打开原始仪表板”按钮不再指向真正的原始仪表板,而是指向攻击者注入的URL。
CVSS Information
N/A
Vulnerability Type
N/A