Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2023-0507

Опубликовано: 01 мар. 2023
Источник: nvd
CVSS3: 7.3
CVSS3: 5.4
EPSS Средний

Описание

Grafana is an open-source platform for monitoring and observability.

Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap.

The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.

An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript.

This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard.

Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Версия от 8.1.0 (включая) до 8.5.21 (исключая)
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Версия от 9.2.0 (включая) до 9.2.13 (исключая)
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Версия от 9.3.0 (включая) до 9.3.8 (исключая)

EPSS

Процентиль: 98%
0.66153
Средний

7.3 High

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79
CWE-79

Связанные уязвимости

ubuntu логотип

CVE-2023-0507

CVSS3: 7.3
ubuntu
больше 2 лет назад

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

redhat логотип

CVE-2023-0507

CVSS3: 7.3
redhat
больше 2 лет назад

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

debian логотип

CVE-2023-0507

CVSS3: 7.3
debian
больше 2 лет назад

Grafana is an open-source platform for monitoring and observability. ...

github логотип

GHSA-hjv9-hm2f-rpcj

CVSS3: 5.4
github
больше 2 лет назад

Grafana vulnerable to Cross-site Scripting

fstec логотип

BDU:2023-01605

CVSS3: 7.3
fstec
больше 2 лет назад

Уязвимость плагина GeoMap веб-инструмента представления данных Grafana, связанная с недостаточной защитой структуры веб-страницы, позволяющая нарушителю повысить свои привилегии

EPSS

Процентиль: 98%
0.66153
Средний

7.3 High

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79
CWE-79