// For flags

CVE-2022-23552

Grafana stored XSS in FileUploader component

Severity Score

5.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.

An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard.

Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.

Grafana es una plataforma de código abierto para monitoreo y observabilidad. A partir de la rama 8.1 y antes de las versiones 8.5.16, 9.2.10 y 9.3.4, Grafana tenía una vulnerabilidad XSS almacenada que afectaba al complemento principal GeoMap. La vulnerabilidad XSS almacenada fue posible porque los archivos SVG no se desinfectaron adecuadamente y permitieron la ejecución de JavaScript arbitrario en el contexto del usuario actualmente autorizado de la instancia de Grafana. Un atacante debe tener la función de Editor para cambiar un panel para incluir una URL externa a un archivo SVG que contenga JavaScript o usar el esquema `datos:` para cargar un archivo SVG en línea que contenga JavaScript. Esto significa que es posible una escalada de privilegios vertical, donde un usuario con rol de editor puede cambiar a una contraseña conocida para un usuario que tiene rol de administrador si el usuario con rol de administrador ejecuta JavaScript malicioso al ver un panel. Los usuarios pueden actualizar a la versión 8.5.16, 9.2.10 o 9.3.4 para recibir una solución.

A flaw was found in The GeoMap and Canvas plugins of Grafana. The GeoMap and Canvas plugins are core plugins in Grafana, which means that all Grafana instances have GeoMap and Canvas installed. These two plugins are vulnerable to Cross-site scripting, where an attacker with an Editor role can add an SVG file containing malicious JavaScript code. The Javascript is executed when a user with an admin role later edits the GeoMap/Canvas panel.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2022-01-19 CVE Reserved
  • 2023-01-27 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-08-19 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
>= 8.1.0 < 8.5.16
Search vendor "Grafana" for product "Grafana" and version " >= 8.1.0 < 8.5.16"
-
Affected
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
>= 9.0.0 < 9.2.10
Search vendor "Grafana" for product "Grafana" and version " >= 9.0.0 < 9.2.10"
-
Affected
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
>= 9.3.0 < 9.3.4
Search vendor "Grafana" for product "Grafana" and version " >= 9.3.0 < 9.3.4"
-
Affected