CVE-2023-1410
March 23, 2023
Grafana is an open-source platform for monitoring and observability.
Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip.
The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.
An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.
Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.
Affected Packages
github.com/grafana/grafana (GO):
Affected version(s) >=v8.0.0 <v8.5.22Fix Suggestion:
Update to version v8.5.22github.com/grafana/grafana (GO):
Affected version(s) >=v9.0.0 <v9.2.15Fix Suggestion:
Update to version v9.2.15github.com/grafana/grafana (GO):
Affected version(s) >=v9.4.0 <v9.4.7Fix Suggestion:
Update to version v9.4.7github.com/grafana/grafana (GO):
Affected version(s) >=v9.3.0 <v9.3.11Fix Suggestion:
Update to version v9.3.11Related Resources (11)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
EPSS
Base Score:
1.22
