QID 730771
Date Published: 2023-04-04
QID 730771: Grafana Stored Cross-Site Scripting (XSS) Vulnerability
Grafana is a multi-platform open source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.
When a user adds a Graphite data source, they can then use the data source in a dashboard. This capability contains a feature to use Functions. Once a function is selected, a small tooltip appears when hovering over the name of the function. This tooltip allows you to delete the selected Function from your query or show the Function Description. However, no sanitization is done when adding this description to the DOM.
Since it is not uncommon to connect to public data sources, an attacker could host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.
Affected Versions:
Grafana versions from 8.5.0 to 8.5.21
Grafana versions from 9.2.0 to 9.2.14
Grafana versions from 9.3.0 to 9.3.10
Grafana versions from 9.4.0 to 9.4.6
This QID checks for vulnerable version of Grafana from the server response
An attacker needs to have control over an already configured Graphite data source, or a Grafana admin needs to add a deliberately modified Graphite data source.
This means that vertical privilege escalation is possible, where malicious JavaScript could change to a known password for a user, when viewing the Explore view and hovering over a Function tooltip.
- Grafana Security Advisory -
grafana.com/blog/2023/03/22/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-1410/
CVEs related to QID 730771
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| Grafana Security Advisory |
grafana.com/blog/2023/03/22/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-1410/ |