CVE-2022-21702Cross-site Scripting in Grafana Grafana

CWE-79Cross-site Scripting8 documents5 sources
Severity
5.4MEDIUMNVD
CNA6.5
EPSS
1.2%
top 20.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Grafana GrafanaGrafanaNetapp E-series Performance Analyzer+1 more
Timeline
PublishedFeb 8
Latest updateApr 29

Description

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted,

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

NVDgrafana/grafana2.0.17.5.15+2
Gogithub.com/grafana_grafana2.0.0-beta17.5.15+1
CVEListV5grafana/grafana>= 2.0.0-beta1, < 7.5.15, >= 8.0.0, < 8.3.5+1

Also affects: Fedora 34, 35, 36

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

6
OSV
linux-aws-5.15 vulnerabilities2025-04-29
OSV
linux-aws-fips, linux-fips, linux-gcp-fips vulnerabilities2025-04-24
OSV
Grafana proxy Cross-site Scripting2024-05-14
GHSA
Grafana proxy Cross-site Scripting2024-05-14
CVEList
Cross site scripting in Grafana proxy2022-02-08

📋Vendor Advisories

1
Red Hat
grafana: XSS vulnerability in data source handling2022-02-08
CVE-2022-21702 — Cross-site Scripting | cvebase