Stored XSS Vulnerability in Grafana Monitoring Platform
CVE-2023-0594

7.3HIGH

Key Information:

Vendor: Grafana
Status: Grafana; Grafana Enterprise
Vendor: CVE Published:; 1 March 2023

Summary

Grafana, an open-source platform for monitoring and observability, has a vulnerability that allows attackers with Editor privileges to inject malicious JavaScript into trace view visualizations. Due to improper sanitization of span attributes, this XSS vulnerability enables an attacker to execute harmful scripts within the context of another user's session, potentially allowing vertical privilege escalation. Affected users are advised to upgrade to the fixed versions of Grafana to secure their installations.

Affected Version(s)

Grafana 7.0.0 < 8.5.21

Grafana 9.0.0 < 9.2.13

Grafana 9.3.0 < 9.3.8

References

https://grafana.com/security/security-advisories/cve-2023...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 1, 2023
Vulnerability Reserved
Jan 31, 2023