| + |
A security issue has been found in Grafana before version 8.2.3. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. |
| + |
|
| + |
The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. |
| + |
|
| + |
There are two ways an unauthenticated user can open a page in Grafana that contains the login button: |
| + |
- Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack. |
| + |
- The link is to an unauthenticated page. The following pages are vulnerable: |
| + |
- /dashboard-solo/snapshot/* |
| + |
- /dashboard/snapshot/* |
| + |
- /invite/:code |
| + |
|
| + |
The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} |
| + |
|
| + |
An example of an expression would be: "{{constructor.constructor(‘alert(1)’)()}}". This can be included in the link URL like this: |
| + |
|
| + |
https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1 |
| + |
|
| + |
When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. |