Vulnerability CVE-2023-1410: Information

Description

Grafana is an open-source platform for monitoring and observability.  Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.  Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.

Severity: MEDIUM (4.8) Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-1410
Published: March 23, 2023
Modified: April 20, 2023
Error type identifier: CWE-79

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
grafanasisyphus9.5.5-alt110.2.2-alt1.1ALT-PU-2023-4148-1323937Fixed
grafanap109.5.5-alt110.2.2-alt1.1ALT-PU-2023-4133-1323967Fixed
grafanac10f19.5.5-alt110.2.2-alt1.1ALT-PU-2023-4346-2324663Fixed
grafanac9f29.5.5-alt19.5.5-alt1ALT-PU-2023-4567-3323137Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76
  • Exploit
  • Vendor Advisory
https://grafana.com/security/security-advisories/cve-2023-1410/
  • Vendor Advisory
https://security.netapp.com/advisory/ntap-20230420-0003/

      1. Configuration 1

        cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
        Start excluding
        9.3.0
        End excliding
        9.3.11
        cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
        Start including
        9.2.0
        End excliding
        9.2.15
        cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
        Start including
        8.0.0
        End excliding
        8.5.22
    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
    Version: v24.5.1
    Back to top