Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-39324

Good to know:

icon

Date: January 27, 2023

Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the "originalUrl" parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The "Open original dashboard" button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.

Language: Go

Severity Score

Related Resources (10)

https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a
https://access.redhat.com/security/cve/CVE-2022-39324
https://github.com/grafana/grafana
https://github.com/grafana/grafana/pull/60256
https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c
https://github.com/grafana/grafana/pull/60232
https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw
https://nvd.nist.gov/vuln/detail/CVE-2022-39324
https://security.netapp.com/advisory/ntap-20230309-0010/
https://www.mend.io/vulnerability-database/CVE-2022-39324

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version github.com/grafana/grafana - v9.2.8;github.com/grafana/grafana - v8.5.16

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): LOW

Do you need more information?

Contact Us