CVE-2023-0507

Severity CVSS v4.0:

Pending analysis

Type:

CWE-79 Cross-Site Scripting (XSS)

Publication date:

01/03/2023

Last modified:

13/02/2025

Description

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren&#39;t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVSS v3.1 Severity and Metrics:

Base Score: 7.30 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): None

Base Score 3.x

7.30

Severity 3.x

HIGH

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:grafana:grafana::::::::	8.1.0 (including)	8.5.21 (excluding)
cpe:2.3:a:grafana:grafana::::::::	9.2.0 (including)	9.2.13 (excluding)
cpe:2.3:a:grafana:grafana::::::::	9.3.0 (including)	9.3.8 (excluding)

To consult the complete list of CPE names with products and versions, see this page

CVE-2023-0507

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools