Moderate severityNVD Advisory· Published Oct 28, 2020· Updated Aug 4, 2024
CVE-2020-24303
CVE-2020-24303
Description
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Grafana before 7.1.0-beta1 permits stored XSS via a crafted Elasticsearch query alias, allowing attackers to execute JavaScript in dashboard viewers' browsers.
Vulnerability
Overview
CVE-2020-24303 describes a stored Cross-Site Scripting (XSS) vulnerability in Grafana, affecting versions prior to 7.1.0-beta1. The flaw exists in how the Elasticsearch datasource handles query aliases: an attacker can inject malicious JavaScript code into the query alias field, which is later rendered in the dashboard UI without proper sanitization or output encoding. [1] [3]
Attack
Vector and Prerequisites
To exploit this vulnerability, an attacker must have write access to a Grafana dashboard (i.e., be able to create or edit panels that use the Elasticsearch datasource). The attacker then creates a query with a malicious alias containing JavaScript payloads, such as ``. When any user views the affected dashboard, the injected script executes in their browser context. No additional user interaction is required beyond viewing the dashboard. [4]
Potential
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any dashboard viewer. This can lead to session hijacking, data exfiltration (including queries, secrets, or CSRF tokens), defacement of dashboards, or redirection to malicious sites. The impact is amplified in multi-tenant Grafana instances where attackers and targets share a Grafana server but may belong to different organizations. [1] [4]
Mitigation
Status
The vulnerability is fixed in Grafana version 7.1.0-beta1 and later. Users are strongly advised to upgrade to this version or newer. The fix was implemented in pull request #25401, which sanitizes series override aliases to prevent script injection. If an upgrade is not immediately possible, restricting dashboard editing permissions to trusted users is a recommended workaround. [1] [3] [4]
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/grafanaGo | < 7.1.0-beta1 | 7.1.0-beta1 |
Affected products
90- Grafana/Grafanadescription
- osv-coords89 versionspkg:bitnami/grafanapkg:golang/github.com/grafana/grafanapkg:rpm/suse/ardana-cassandra&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ardana-mq&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ardana-neutron&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ardana-osconfig&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ardana-swift&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ardana-tempest&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/cassandra&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/cassandra&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/grafana&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/influxdb&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/influxdb&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/influxdb&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-heat&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-heat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-heat-gbp&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-heat-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-horizon-plugin-gbp-ui&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-horizon-plugin-gbp-ui&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-ironic&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-ironic-python-agent&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-ironic-python-agent&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-neutron-vpnaas&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-neutron-vpnaas&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-elementpath&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-elementpath&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-Jinja2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Jinja2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-py&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-py&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-pytest&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-pytest&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-xmlschema&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-xmlschema&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/rubygem-activerecord-session_store&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/spark&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/spark&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/system-user-grafana&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/system-user-grafana&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%209
< 7.0.6+ 88 more
- (no CPE)range: < 7.0.6
- (no CPE)range: < 7.1.0-beta1
- (no CPE)range: < 9.0+git.1600802664.7e480a2-3.6.2
- (no CPE)range: < 9.0+git.1605174486.a78ddce-3.19.2
- (no CPE)range: < 9.0+git.1615223676.777f0b3-3.25.2
- (no CPE)range: < 9.0+git.1601621747.a87e5a0-3.22.2
- (no CPE)range: < 9.0+git.1618235096.90974ed-3.10.2
- (no CPE)range: < 9.0+git.1603378983.fc0bca9-3.19.2
- (no CPE)range: < 3.11.10-3.3.3
- (no CPE)range: < 3.11.10-3.3.3
- (no CPE)range: < 6.0+git.1606314264.bf9ada813-3.31.2
- (no CPE)range: < 4.0+git.1604938545.30c10db18-9.77.1
- (no CPE)range: < 6.0+git.1604573541.bb18c172d-3.28.3
- (no CPE)range: < 7.3.1-3.6.1
- (no CPE)range: < 6.7.4-1.20.1
- (no CPE)range: < 6.7.4-3.20.1
- (no CPE)range: < 6.7.4-3.20.1
- (no CPE)range: < 1.2.4-5.1
- (no CPE)range: < 1.3.8-4.3.3
- (no CPE)range: < 1.3.8-4.3.3
- (no CPE)range: < 4.6.6-4.9.2
- (no CPE)range: < 4.6.6-4.9.2
- (no CPE)range: < 13.0.10~dev20-3.28.2
- (no CPE)range: < 13.0.10~dev20-3.28.2
- (no CPE)range: < 14.1.1~dev11-3.24.6
- (no CPE)range: < 14.1.1~dev11-3.24.6
- (no CPE)range: < 11.0.4~dev4-3.19.2
- (no CPE)range: < 11.0.4~dev4-3.19.2
- (no CPE)range: < 12.0.1~dev2-3.3.4
- (no CPE)range: < 12.0.1~dev2-3.3.4
- (no CPE)range: < 0.0.0+git.1605509190.64f020b6-3.9.3
- (no CPE)range: < 0.0.0+git.1605509190.64f020b6-3.9.3
- (no CPE)range: < 12.0.1~dev3-3.3.4
- (no CPE)range: < 12.0.1~dev3-3.3.4
- (no CPE)range: < 11.1.5~dev17-3.25.5
- (no CPE)range: < 11.1.5~dev17-3.25.5
- (no CPE)range: < 3.3.4~dev6-3.19.4
- (no CPE)range: < 3.3.4~dev6-3.19.4
- (no CPE)range: < 7.4.2~dev57-4.30.2
- (no CPE)range: < 7.4.2~dev57-4.30.2
- (no CPE)range: < 13.0.8~dev135-3.31.2
- (no CPE)range: < 13.0.8~dev135-3.31.2
- (no CPE)range: < 12.0.1~dev5-3.19.4
- (no CPE)range: < 12.0.1~dev5-3.19.4
- (no CPE)range: < 13.0.2~dev6-3.9.2
- (no CPE)range: < 13.0.2~dev6-3.9.2
- (no CPE)range: < 18.3.1~dev77-3.31.2
- (no CPE)range: < 18.3.1~dev77-3.31.2
- (no CPE)range: < 1.11.29-3.25.1
- (no CPE)range: < 1.11.29-3.25.1
- (no CPE)range: < 1.3.1-1.3.2
- (no CPE)range: < 1.3.1-1.3.2
- (no CPE)range: < 2.10.1-3.3.3
- (no CPE)range: < 2.10.1-3.3.3
- (no CPE)range: < 1.5.4-3.3.2
- (no CPE)range: < 1.5.4-3.3.2
- (no CPE)range: < 4.5.0-4.3.3
- (no CPE)range: < 4.5.0-4.3.3
- (no CPE)range: < 3.7.4-3.3.3
- (no CPE)range: < 3.7.4-3.3.3
- (no CPE)range: < 1.16-3.12.1
- (no CPE)range: < 1.23-3.15.3
- (no CPE)range: < 1.23-3.15.3
- (no CPE)range: < 1.0.18-1.3.2
- (no CPE)range: < 1.0.18-1.3.2
- (no CPE)range: < 9.20200917-3.24.3
- (no CPE)range: < 9.20200917-3.24.3
- (no CPE)range: < 0.1.2-4.3.2
- (no CPE)range: < 2.2.3-5.3.3
- (no CPE)range: < 2.2.3-5.3.3
- (no CPE)range: < 1.0.0-3.9.1
- (no CPE)range: < 1.0.0-3.9.1
- (no CPE)range: < 7.0.1~dev24-3.21.2
- (no CPE)range: < 13.0.10~dev20-3.24.2
- (no CPE)range: < 7.0.2~dev2-3.21.2
- (no CPE)range: < 17.0.1~dev30-3.19.2
- (no CPE)range: < 11.0.4~dev4-3.21.2
- (no CPE)range: < 14.1.1~dev7-4.23.2
- (no CPE)range: < 11.1.5~dev16-4.19.2
- (no CPE)range: < 14.2.1~dev4-3.21.2
- (no CPE)range: < 7.2.1~dev1-4.21.2
- (no CPE)range: < 7.4.2~dev57-3.25.2
- (no CPE)range: < 1.8.2~dev3-3.21.2
- (no CPE)range: < 2.7.1~dev10-3.19.2
- (no CPE)range: < 13.0.8~dev135-6.23.2
- (no CPE)range: < 18.3.1~dev77-3.23.2
- (no CPE)range: < 3.2.3~dev7-4.21.2
- (no CPE)range: < 9.0.2~dev15-3.21.2
- (no CPE)range: < 2.19.2~dev48-2.16.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-mvpr-q6rh-8vrpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-24303ghsaADVISORY
- github.com/grafana/grafana/blob/master/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/grafana/grafana/pull/25401ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20201123-0002ghsaWEB
- security.netapp.com/advisory/ntap-20201123-0002/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.