Stored XSS in Grafana's Unified Alerting
CVE-2022-31097

7.3HIGH

Key Information:

Vendor
Grafana
Status
Grafana
Vendor
CVE Published:
15 July 2022

Summary

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.

Affected Version(s)

grafana >= 9.0.0, < 9.0.3 < 9.0.0, 9.0.3

grafana >= 8.5.0, < 8.5.9 < 8.5.0, 8.5.9

grafana >= 8.4.0, < 8.4.10 < 8.4.0, 8.4.10

References

https://github.com/grafana/grafana/security/advisories/GH...
x_refsource_CONFIRM
https://grafana.com/docs/grafana/latest/release-notes/rel...
x_refsource_MISC
https://grafana.com/docs/grafana/next/release-notes/relea...
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.