CVE-2023-0594Cross-site Scripting in Grafana

CWE-79Cross-site ScriptingCWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)6 documents5 sources
Severity
5.4MEDIUMNVD
CNA7.3
EPSS
48.8%
top 2.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GrafanaGrafana EnterpriseGithub.com Grafana Grafana
Timeline
PublishedMar 1

Description

Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This me

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

CVEListV5grafana/grafana7.0.08.5.21+2
NVDgrafana/grafana7.0.08.5.21+2
CVEListV5grafana/grafana_enterprise7.0.08.5.21+2
Gogithub.com/grafana_grafana7.0.08.5.21+2

🔴Vulnerability Details

4
OSV
CVE-2023-0594: Grafana is an open-source platform for monitoring and observability2023-03-01
CVEList
CVE-2023-0594: Grafana is an open-source platform for monitoring and observability2023-03-01
OSV
Grafana vulnerable to Cross-site Scripting2023-03-01
GHSA
Grafana vulnerable to Cross-site Scripting2023-03-01

📋Vendor Advisories

1
Red Hat
grafana: cross site scripting2023-03-01
CVE-2023-0594 — Cross-site Scripting in Grafana | cvebase