cbcvebase.
CVE-2023-0507
published 2023-03-01

CVE-2023-0507: Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core…

PriorityP336medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
15.46%
96.4th percentile
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

Affected

8 ranges
VendorProductVersion rangeFixed in
github.comgrafana_grafana>= 8.1.0 < 8.5.218.5.21
github.comgrafana_grafana>= 9.0.0 < 9.2.139.2.13
github.comgrafana_grafana>= 9.3.0 < 9.3.89.3.8
grafanagrafana
grafanagrafana>= 8.1.0 < 8.5.218.5.21
grafanagrafana>= 9.2.0 < 9.2.139.2.13
grafanagrafana>= 9.3.0 < 9.3.89.3.8
grafanagrafana_oss

Detection & IOCsextracted from sources · hover to see the quote

  • Stored XSS payload is injected via the GeoMap plugin's Attribution text field in a Grafana dashboard panel — monitor for unsanitized HTML/JavaScript in that specific field
  • The attack vector requires the Editor role; alert on Editor-role users modifying GeoMap panels, especially those adding script tags or JavaScript URIs to map attribution fields
  • Post-exploitation technique uses XHR to call Grafana's API to change an admin user's password — monitor for unexpected password-change API calls originating from browser sessions of admin users viewing dashboards
  • Privilege escalation indicator: an Editor-role account gaining Admin-role access shortly after an Admin user viewed a GeoMap-containing dashboard should be treated as a high-confidence compromise signal
  • Mitigation/detection gap: Grafana's Content-Security-Policy blocks inline scripts; absence of CSP headers in Grafana responses indicates the instance remains exploitable
  • ·Vulnerability only affects Grafana instances running version 8.1 branch and later, up to the fixed versions; instances below 8.1 are not affected
  • ·Fixed versions are 8.5.21, 9.2.13, and 9.3.8 — detections targeting unpatched instances should scope to versions below these thresholds
  • ·Red Hat Enterprise Linux 8 and several other Red Hat products ship a version of Grafana that is listed as Not Affected; detection scope should be adjusted accordingly for those environments
  • ·OpenShift Service Mesh 2.1 (servicemesh-grafana) is explicitly Not Affected; do not apply detections to that package

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv5.4MEDIUM
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.