QID 730423

Grafana is an open-source, general purpose dashboard and graph composer, which runs as a web application.

CVE-2022-21702: Affected versions of Grafana may allow an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack.
CVE-2022-21703: Affected versions of Grafana are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users.
CVE-2022-21713: Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization which will allow an authenticated attacker to see unintended data.

Affected Versions:
Grafana Version prior to 7.5.15
Grafana Version from 8.0.0 prior to 8.3.5

NOTE:
CVE-2022-21702: Grafana affected versions from 2.0.0-beta1 prior to 7.5.15 and from 8.0.0 prior to 8.3.5.
CVE-2022-21703: Grafana affected versions from 3.0-beta1 prior to 7.5.15 and from 8.0.0 prior to 8.3.5.
CVE-2022-21713: Grafana affected versions from 5.0.0-beta1 prior to 7.5.15 and from 8.0.0 prior to 8.3.5.

QID Detection Logic (Unauthenticated):
This QID checks for vulnerable version of Grafana Enterprise from the server response

Successful exploitation of these vulnerabilities may allow an authenticated attacker to steal sensitive user data or force user to perform unwanted actions.