CVE-2023-0594
Grafana vulnerable to Cross-site Scripting
Description
Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.
How to fix CVE-2023-0594
To remediate CVE-2023-0594, upgrade the affected package to a fixed version below.
- —upgrade to 8.5.21 or later
- —upgrade to 8.5.21 or later
Is CVE-2023-0594 being exploited?
Moderate — EPSS is 36.6%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- >= 7.0.0, < 8.5.21, >= 9.2.0, < 9.2.13, >= 9.3.0, < 9.3.8
- >= 7.0.0, < 8.5.21
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |