Stored XSS Vulnerability in Grafana's GeoMap Plugin
CVE-2023-0507

7.3HIGH

Key Information:

Vendor: Grafana
Status: Grafana; Grafana Enterprise
Vendor: CVE Published:; 1 March 2023

Summary

Grafana's core plugin, GeoMap, is vulnerable to stored XSS due to inadequate sanitization of map attributions. This allows an attacker with Editor privileges to execute arbitrary JavaScript in the context of any logged-in user, including Admins, thereby creating a potential vertical privilege escalation scenario. To mitigate this risk, users should upgrade to the patched versions: 8.5.21, 9.2.13, or 9.3.8.

Affected Version(s)

Grafana 8.1.0 < 8.5.21

Grafana 9.0.0 < 9.2.13

Grafana 9.3.0 < 9.3.8

References

https://grafana.com/security/security-advisories/cve-2023...

https://security.netapp.com/advisory/ntap-20230413-0001/

EPSS Score

66% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 1, 2023
Vulnerability Reserved
Jan 25, 2023