CVE-2023-22462 : Grafana is an open-source platform for monitoring and observability. On 2023-01-

Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana's database. An attacker needs to have the Editor role in order to change a Text panel to include JavaScript. Another user needs to edit the same Text panel, and click on "Markdown" or "HTML" for the code to be executed. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. This issue has been patched in versions 9.2.10 and 9.3.4.

Published 2023-03-02 01:15:12

Updated 2024-02-01 17:08:55

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)Gain privilege

Products affected by CVE-2023-22462

Grafana » Grafana
Versions from including (>=) 9.2.0 and before (<) 9.2.10
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Matching versions
Grafana » Grafana
Versions from including (>=) 9.3.0 and before (<) 9.3.4
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-22462

EPSS FAQ

7.27%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 91 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-22462

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
6.4	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N	1.2	5.2	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2023-22462

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)

References for CVE-2023-22462

https://github.com/grafana/grafana/commit/db83d5f398caffe35c5846cfa7727d1a2a414165

[v9.3.x] Plugins: Fix plugin query help markdown (#60907) · grafana/grafana@db83d5f · GitHub
Patch
https://security.netapp.com/advisory/ntap-20230413-0004/

CVE-2023-22462 Grafana Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://github.com/grafana/grafana/security/advisories/GHSA-7rqg-hjwc-6mjf

Stored XSS in Text plugin · Advisory · grafana/grafana · GitHub
Vendor Advisory
https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/

Grafana security release: New versions with security fixes for CVE-2023-0594, CVE-2023-0507, and CVE-2023-22462 | Grafana Labs
Patch;Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-22462

Products affected by CVE-2023-22462

Exploit prediction scoring system (EPSS) score for CVE-2023-22462

CVSS scores for CVE-2023-22462

CWE ids for CVE-2023-22462

References for CVE-2023-22462