CVE-2023-0507
published 2023-03-01CVE-2023-0507: Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core…
PriorityP336medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
15.46%
96.4th percentile
Grafana is an open-source platform for monitoring and observability.
Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap.
The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.
An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript.
This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard.
Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 8.1.0 < 8.5.21 | 8.5.21 |
| github.com | grafana_grafana | >= 9.0.0 < 9.2.13 | 9.2.13 |
| github.com | grafana_grafana | >= 9.3.0 < 9.3.8 | 9.3.8 |
| grafana | grafana | — | — |
| grafana | grafana | >= 8.1.0 < 8.5.21 | 8.5.21 |
| grafana | grafana | >= 9.2.0 < 9.2.13 | 9.2.13 |
| grafana | grafana | >= 9.3.0 < 9.3.8 | 9.3.8 |
| grafana | grafana_oss | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Stored XSS payload is injected via the GeoMap plugin's Attribution text field in a Grafana dashboard panel — monitor for unsanitized HTML/JavaScript in that specific field ↗
- →The attack vector requires the Editor role; alert on Editor-role users modifying GeoMap panels, especially those adding script tags or JavaScript URIs to map attribution fields ↗
- →Post-exploitation technique uses XHR to call Grafana's API to change an admin user's password — monitor for unexpected password-change API calls originating from browser sessions of admin users viewing dashboards ↗
- →Privilege escalation indicator: an Editor-role account gaining Admin-role access shortly after an Admin user viewed a GeoMap-containing dashboard should be treated as a high-confidence compromise signal ↗
- →Mitigation/detection gap: Grafana's Content-Security-Policy blocks inline scripts; absence of CSP headers in Grafana responses indicates the instance remains exploitable ↗
- ·Vulnerability only affects Grafana instances running version 8.1 branch and later, up to the fixed versions; instances below 8.1 are not affected ↗
- ·Fixed versions are 8.5.21, 9.2.13, and 9.3.8 — detections targeting unpatched instances should scope to versions below these thresholds ↗
- ·Red Hat Enterprise Linux 8 and several other Red Hat products ship a version of Grafana that is listed as Not Affected; detection scope should be adjusted accordingly for those environments ↗
- ·OpenShift Service Mesh 2.1 (servicemesh-grafana) is explicitly Not Affected; do not apply detections to that package ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv5.4MEDIUM
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
grafana: cross site scripting
vendor_redhat·2023-03-01·CVSS 7.3
CVE-2023-0507 [HIGH] CWE-80 grafana: cross site scripting
grafana: cross site scripting
Grafana is an open-source platform for monitoring and observability.
Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap.
The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.
An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript.
This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard.
Users may upgrade to version 8.5.2
GHSA
The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug.
ghsa_unreviewed·2026-06-22·CVSS 5.4
CVE-2026-9029 [MEDIUM] The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug.
The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix
GHSA
Grafana vulnerable to Cross-site Scripting
ghsa·2023-03-01
CVE-2023-0507 [MEDIUM] CWE-79 Grafana vulnerable to Cross-site Scripting
Grafana vulnerable to Cross-site Scripting
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to
OSV
Grafana vulnerable to Cross-site Scripting
osv·2023-03-01
CVE-2023-0507 [MEDIUM] Grafana vulnerable to Cross-site Scripting
Grafana vulnerable to Cross-site Scripting
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to
OSV
CVE-2023-0507: Grafana is an open-source platform for monitoring and observability
osv·2023-03-01·CVSS 5.4
CVE-2023-0507 [MEDIUM] CVE-2023-0507: Grafana is an open-source platform for monitoring and observability
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-03-01
Published