// For flags

CVE-2022-31097

Stored XSS in Grafana's Unified Alerting

Severity Score

8.7
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.

Grafana es una plataforma de código abierto para la monitorización y la observación. Las versiones de la rama 8.x y 9.x anteriores a 9.0.3, 8.5.6, 8.4.10 y 8.3.10, son vulnerables a un ataque de tipo cross-site scripting almacenado por medio de la función Unified Alerting de Grafana. Un atacante puede explotar esta vulnerabilidad para escalar el privilegio de editor a administrador al engañar a un administrador autenticado para que haga clic en un enlace. Las versiones 9.0.3, 8.5.6, 8.4.10 y 8.3.10 contienen un parche. Como mitigación, es posible deshabilitar las alertas o usar las alertas heredadas

A Cross-site scripting (XSS) vulnerability was found in the Unified Alerting feature of Grafana. This stored XSS can elevate privileges from Editor to Admin.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-05-18 CVE Reserved
  • 2022-07-15 CVE Published
  • 2024-05-31 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
>= 8.0.0 < 8.3.10
Search vendor "Grafana" for product "Grafana" and version " >= 8.0.0 < 8.3.10"
-
Affected
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
>= 8.4.0 < 8.4.10
Search vendor "Grafana" for product "Grafana" and version " >= 8.4.0 < 8.4.10"
-
Affected
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
>= 8.5.0 < 8.5.9
Search vendor "Grafana" for product "Grafana" and version " >= 8.5.0 < 8.5.9"
-
Affected
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
>= 9.0.0 < 9.0.3
Search vendor "Grafana" for product "Grafana" and version " >= 9.0.0 < 9.0.3"
-
Affected
Netapp
Search vendor "Netapp"
E-series Performance Analyzer
Search vendor "Netapp" for product "E-series Performance Analyzer"
--
Affected