CVE-2022-31097 — Cross-site Scripting in Grafana Grafana

CWE-79 — Cross-site Scripting7 documents5 sources

Severity

8.7HIGHNVD

CNA7.3

EPSS

48.1%

top 2.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Grafana Grafana Grafana

Timeline

PublishedJul 15

Latest updateJun 5

Description

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use lega…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:NExploitability: 2.3 | Impact: 5.8

Affected Packages3 packages

▶NVDgrafana/grafana8.0.0 — 8.3.10+3

▶Gogithub.com/grafana_grafana9.0.0 — 9.0.3+3

▶CVEListV5grafana/grafana4 versions+3

🔴Vulnerability Details

OSV

Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana↗2024-06-05

▶

OSV

Grafana Stored Cross-site Scripting in Unified Alerting↗2024-05-14

▶

GHSA

Grafana Stored Cross-site Scripting in Unified Alerting↗2024-05-14

▶

OSV

CVE-2022-31097: Grafana is an open-source platform for monitoring and observability↗2022-07-15

▶

CVEList

Stored XSS in Grafana's Unified Alerting↗2022-07-15

▶

📋Vendor Advisories

Red Hat

grafana: stored XSS vulnerability↗2022-07-14

▶