Stored XSS Vulnerability in Grafana's GeoMap Plugin
CVE-2023-0507

5.4MEDIUM

Key Information:

Vendor: Grafana
Status: Grafana; Grafana Enterprise
Vendor: CVE Published:; 1 March 2023

Summary

Grafana's core plugin, GeoMap, is vulnerable to stored XSS due to inadequate sanitization of map attributions. This allows an attacker with Editor privileges to execute arbitrary JavaScript in the context of any logged-in user, including Admins, thereby creating a potential vertical privilege escalation scenario. To mitigate this risk, users should upgrade to the patched versions: 8.5.21, 9.2.13, or 9.3.8.

Affected Version(s)

Grafana 8.1.0 < 8.5.21

Grafana 9.0.0 < 9.2.13

Grafana 9.3.0 < 9.3.8

References

https://grafana.com/security/security-advisories/cve-2023...

https://security.netapp.com/advisory/ntap-20230413-0001/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 1, 2023
Vulnerability Reserved
Jan 25, 2023