[manjaro-security] [ASA-202111-5] grafana: cross-site scripting

Jonas Witschel via arch-security arch-security at lists.archlinux.org
Tue Nov 9 15:16:06 CET 2021

Arch Linux Security Advisory ASA-202111-5

Severity: Medium
Date    : 2021-11-05
CVE-ID  : CVE-2021-41174
Package : grafana
Type    : cross-site scripting
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2517


The package grafana before version 8.2.3-1 is vulnerable to cross-site


Upgrade to 8.2.3-1.

# pacman -Syu "grafana>=8.2.3-1"

The problem has been fixed upstream in version 8.2.3.


To mitigate the issue, a reverse proxy or similar can be used to block
access to block the literal string "{{" in the path.


A security issue has been found in Grafana before version 8.2.3. If an
attacker is able to convince a victim to visit a URL referencing a
vulnerable page, arbitrary JavaScript content may be executed within
the context of the victim's browser.

The user visiting the malicious link must be unauthenticated and the
link must be for a page that contains the login button in the menu bar.

There are two ways an unauthenticated user can open a page in Grafana
that contains the login button:
- Anonymous authentication is enabled. This means all pages in Grafana
would be open for the attack.
- The link is to an unauthenticated page. The following pages are
  - /dashboard-solo/snapshot/*
  - /dashboard/snapshot/*
  - /invite/:code

The url has to be crafted to exploit AngularJS rendering and contain
the interpolation binding for AngularJS expressions. AngularJS uses
double curly braces for interpolation binding: {{ }}

An example of an expression would be:
"{{constructor.constructor(‘alert(1)’)()}}". This can be included in
the link URL like this:


When the user follows the link and the page renders, the login button
will contain the original link with a query parameter to force a
redirect to the login page. The URL is not validated and the AngularJS
rendering engine will execute the JavaScript expression contained in
the URL.


A remote attacker could execute arbitrary JavaScript code by tricking
an unauthenticated victim into opening a crafted URL.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20211109/6a8320e0/attachment.sig>

More information about the manjaro-security mailing list