CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Grafana web application using default credentials (admin/admin) for the administrator account located at grafana-credentials secret. This occurs because CoreOS does not randomize the administrative password to later be configured by Tectonic administrators. An attacker can insert an XSS payload into the dashboards.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2019-09-24T13:38:56
Updated: 2024-08-05T07:17:50.646Z
Reserved: 2018-03-27T00:00:00
Link: CVE-2018-9090
Vulnrichment
No data.
NVD
Status : Modified
Published: 2019-09-24T14:15:11.073
Modified: 2024-11-21T04:14:57.123
Link: CVE-2018-9090
Redhat
No data.