CVSS: 7.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-0594 – grafana: cross site scripting
https://notcve.org/view.php?id=CVE-2023-0594
01 Mar 2023 — Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertica... • https://grafana.com/security/security-advisories/cve-2023-0594 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 7.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-0507 – grafana: cross site scripting
https://notcve.org/view.php?id=CVE-2023-0507
01 Mar 2023 — Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This ... • https://grafana.com/security/security-advisories/cve-2023-0507 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 1CVE-2022-23498 – When query caching is enabled in Grafana users can query another users session
https://notcve.org/view.php?id=CVE-2022-23498
03 Feb 2023 — Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4. • https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-23552 – Grafana stored XSS in FileUploader component
https://notcve.org/view.php?id=CVE-2022-23552
27 Jan 2023 — Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include eith... • https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •