CVE-2023-0507Cross-site Scripting in Grafana

CWE-79Cross-site ScriptingCWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)6 documents5 sources
Severity
5.4MEDIUMNVD
CNA7.3
EPSS
63.5%
top 1.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GrafanaGrafana EnterpriseGithub.com Grafana Grafana
Timeline
PublishedMar 1

Description

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing Ja

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

CVEListV5grafana/grafana8.1.08.5.21+2
NVDgrafana/grafana8.1.08.5.21+2
CVEListV5grafana/grafana_enterprise8.1.08.5.21+2
Gogithub.com/grafana_grafana8.1.08.5.21+2

🔴Vulnerability Details

4
GHSA
Grafana vulnerable to Cross-site Scripting2023-03-01
CVEList
CVE-2023-0507: Grafana is an open-source platform for monitoring and observability2023-03-01
OSV
Grafana vulnerable to Cross-site Scripting2023-03-01
OSV
CVE-2023-0507: Grafana is an open-source platform for monitoring and observability2023-03-01

📋Vendor Advisories

1
Red Hat
grafana: cross site scripting2023-03-01
CVE-2023-0507 — Cross-site Scripting in Grafana | cvebase