Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-2703

Опубликовано: 23 апр. 2025
Источник: redhat
CVSS3: 6.4
EPSS Низкий

Описание

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.

A DOM-based Cross-site scripting vulnerability exists in Grafana's built-in XY Chart plugin. This flaw allows an attacker with editor-level privileges to inject and execute arbitrary JavaScript code by editing an XY Chart Panel. The vulnerability bypasses the Content Security Policy, allowing the script to execute when the chart is rendered.

Отчет

This vulnerability is classified as a Moderate severity due to the ability of authenticated users with Editor permissions to inject arbitrary JavaScript into XY Chart panels. When the panel is rendered, the payload executes in the user's browser context, bypassing existing Content Security Policy (CSP) protections. This allows for potential session hijacking or data exfiltration. While the exploit requires some user privileges and interaction, the security boundary between trusted editors and secure rendering is violated. It is important to note that this issue affects Grafana versions 11.1.0 and later, which are not included in any Red Hat supported builds. Therefore, Red Hat customers are not impacted by this vulnerability.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10grafanaNot affected
Red Hat Enterprise Linux 8grafanaNot affected
Red Hat Enterprise Linux 9grafanaNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=2358582grafana: Cross-Site Scripting in Grafana XY Chart Panel

EPSS

Процентиль: 2%
0.00016
Низкий

6.4 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-2703

CVSS3: 6.8
nvd
3 месяца назад

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.

github логотип

GHSA-p2mq-5mvf-j4j6

CVSS3: 6.8
github
3 месяца назад

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.

fstec логотип

BDU:2025-07172

CVSS3: 6.8
fstec
3 месяца назад

Уязвимость плагина для визуализации данных в системе мониторинга Grafana XY Chart Plugin, существующая из-за непринятия мер по защите структуры веб-страницы, позволяющая нарушителю выполнить атаку типа DOM-based XSS

redos логотип

ROS-20250619-15

CVSS3: 8.3
redos
28 дней назад

Множественные уязвимости grafana

suse-cvrf логотип

SUSE-SU-2025:01991-1

suse-cvrf
29 дней назад

Security update for grafana

EPSS

Процентиль: 2%
0.00016
Низкий

6.4 Medium

CVSS3