CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Grafana web application using default credentials (admin/admin) for the administrator account located at grafana-credentials secret. This occurs because CoreOS does not randomize the administrative password to later be configured by Tectonic administrators. An attacker can insert an XSS payload into the dashboards.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-09-24T13:38:56

Updated: 2024-08-05T07:17:50.646Z

Reserved: 2018-03-27T00:00:00

Link: CVE-2018-9090

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-09-24T14:15:11.073

Modified: 2024-11-21T04:14:57.123

Link: CVE-2018-9090

cve-icon Redhat

No data.