CVE-2023-22462 — Cross-site Scripting in Grafana Grafana

CWE-79 — Cross-site Scripting6 documents5 sources

Severity

5.4MEDIUMNVD

CNA6.4

EPSS

20.0%

top 4.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Grafana Grafana Grafana

Timeline

PublishedMar 2

Description

Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana's database. A…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDgrafana/grafana9.2.0 — 9.2.10+1

▶Gogithub.com/grafana_grafana9.2.0 — 9.2.10+1

▶CVEListV5grafana/grafana>= 9.2, < 9.2.10, >= 9.3, < 9.3.4+1

Patches

Patch: github.com ↗Patch: grafana.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-22462: Grafana is an open-source platform for monitoring and observability↗2023-03-02

▶

CVEList

Stored XSS in Grafana Text plugin↗2023-03-02

▶

OSV

Grafana vulnerable to Stored Cross-site Scripting in Text plugin↗2023-03-01

▶

GHSA

Grafana vulnerable to Stored Cross-site Scripting in Text plugin↗2023-03-01

▶

📋Vendor Advisories

Red Hat

grafana: stored XSS vulnerability affecting the core plugin "Text"↗2023-03-02

▶