CVE-2023-1410
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
23/03/2023
Last modified:
13/02/2025
Description
Grafana is an open-source platform for monitoring and observability. <br />
<br />
Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. <br />
<br />
The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.<br />
<br />
An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. <br />
<br />
Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.
Impact
Base Score 3.x
6.20
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* | 8.0.0 (including) | 8.5.22 (excluding) |
| cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* | 9.2.0 (including) | 9.2.15 (excluding) |
| cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* | 9.3.0 (excluding) | 9.3.11 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76
- https://grafana.com/security/security-advisories/cve-2023-1410/
- https://security.netapp.com/advisory/ntap-20230420-0003/
- https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76
- https://grafana.com/security/security-advisories/cve-2023-1410/
- https://security.netapp.com/advisory/ntap-20230420-0003/