QID 730756

Date Published: 2023-03-13

QID 730756: Grafana Multiple Stored Cross-Site Scripting (XSS) Vulnerabilities

Grafana is a multi-platform open source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.

CVE-2023-22462: Grafana had a stored XSS vulnerability in the core plugin "Text". An Editor can inject JavaScript and escalate privileges to access an Admin's known password via a malicious dashboard.

CVE-2022-23498: When datasource query caching is enabled, Grafana caches all headers, including grafana_session. As a result, any user that queries a datasource where the caching is enabled can acquire another user's session.

Affected Versions:
Grafana versions from 9.2.0 prior to 9.2.10
Grafana versions from 9.3.0 prior to 9.3.4

QID Detection Logic (Unauthenticated):
This QID checks for vulnerable version of Grafana from the server response

Successful exploitation of this vulnerability may allow an attacker with an Editor role to change to a known password for a user with an Admin role and, with the Admin role permissions, can execute malicious JavaScript viewing a dashboard.

  • CVSS V3 rated as Critical - 8.8 severity.
  • CVSS V2 rated as Medium - 3.6 severity.
    • Solution
    Grafana has released patch to address the vulnerability. For more information please refer to Grafana Security Advisory

    Vendor References

    CVEs related to QID 730756

    CVE-2023-22462 | CVE-2022-23498 |
    Software Advisories
    Advisory ID Software Component Link
    Grafana Security Advisory URL Logo grafana.com/security/security-advisories/cve-2023-22462/
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].