CVE-2025-2703
published 2025-04-23CVE-2025-2703: The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it…
PriorityP339medium6.8CVSS 3.1
AVNACLPRLUIRSUCHILAL
EPSS
10.61%
95.2th percentile
The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability.
A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grafana | grafana | >= 11.2.0 < 11.2.8+security-01 | 11.2.8+security-01 |
| grafana | grafana | >= 11.3.0 < 11.3.5+security-01 | 11.3.5+security-01 |
| grafana | grafana | >= 11.4.0 < 11.4.3+security-01 | 11.4.3+security-01 |
| grafana | grafana | >= 11.5.0 < 11.5.3+security-01 | 11.5.3+security-01 |
| grafana | grafana | >= 11.6.0 < 11.6.0+security-01 | 11.6.0+security-01 |
| grafana | grafana_enterprise | >= 11.2.0 < 11.2.8+security-01 | 11.2.8+security-01 |
| grafana | grafana_enterprise | >= 11.3.0 < 11.3.5+security-01 | 11.3.5+security-01 |
| grafana | grafana_enterprise | >= 11.4.0 < 11.4.3+security-01 | 11.4.3+security-01 |
| grafana | grafana_enterprise | >= 11.5.0 < 11.5.3+security-01 | 11.5.3+security-01 |
| grafana | grafana_enterprise | >= 11.6.0 < 11.6.0+security-01 | 11.6.0+security-01 |
CVSS provenance
nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
grafana: Cross-Site Scripting in Grafana XY Chart Panel
vendor_redhat·2025-04-23·CVSS 6.8
CVE-2025-2703 [MEDIUM] CWE-79 grafana: Cross-Site Scripting in Grafana XY Chart Panel
grafana: Cross-Site Scripting in Grafana XY Chart Panel
The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability.
A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.
A DOM-based Cross-site scripting vulnerability exists in Grafana's built-in XY Chart plugin. This flaw allows an attacker with editor-level privileges to inject and execute arbitrary JavaScript code by editing an XY Chart Panel. The vulnerability bypasses the Content Security Policy, allowing the script to execute when the chart is rendered.
Statement: This vulnerability is classified as a Moderate severity due to the ability of authenticated users with Editor permissions to inject arbitrary JavaScript into XY Chart panels. When the panel is rendered,
GHSA
GHSA-p2mq-5mvf-j4j6: The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability
ghsa_unreviewed·2025-04-23
CVE-2025-2703 [MEDIUM] CWE-79 GHSA-p2mq-5mvf-j4j6: The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability
The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability.
A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-04-23
Published