CVE-2022-31097
Stored XSS in Grafana's Unified Alerting
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.
Grafana es una plataforma de código abierto para la monitorización y la observación. Las versiones de la rama 8.x y 9.x anteriores a 9.0.3, 8.5.6, 8.4.10 y 8.3.10, son vulnerables a un ataque de tipo cross-site scripting almacenado por medio de la función Unified Alerting de Grafana. Un atacante puede explotar esta vulnerabilidad para escalar el privilegio de editor a administrador al engañar a un administrador autenticado para que haga clic en un enlace. Las versiones 9.0.3, 8.5.6, 8.4.10 y 8.3.10 contienen un parche. Como mitigación, es posible deshabilitar las alertas o usar las alertas heredadas
A Cross-site scripting (XSS) vulnerability was found in the Unified Alerting feature of Grafana. This stored XSS can elevate privileges from Editor to Admin.
Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, denial of service, information leakage, spoofing, and traversal vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-18 CVE Reserved
- 2022-07-15 CVE Published
- 2024-08-03 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f | Release Notes | |
| https://security.netapp.com/advisory/ntap-20220901-0010 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 8.0.0 < 8.3.10 Search vendor "Grafana" for product "Grafana" and version " >= 8.0.0 < 8.3.10" | - |
Affected
| ||||||
| Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 8.4.0 < 8.4.10 Search vendor "Grafana" for product "Grafana" and version " >= 8.4.0 < 8.4.10" | - |
Affected
| ||||||
| Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 8.5.0 < 8.5.9 Search vendor "Grafana" for product "Grafana" and version " >= 8.5.0 < 8.5.9" | - |
Affected
| ||||||
| Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 9.0.0 < 9.0.3 Search vendor "Grafana" for product "Grafana" and version " >= 9.0.0 < 9.0.3" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | E-series Performance Analyzer Search vendor "Netapp" for product "E-series Performance Analyzer" | - | - |
Affected
| ||||||