CVE-2023-1410: Stored XSS in Graphite FunctionDescription tooltip
First published: Thu Mar 23 2023(Updated: )
Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.
Credit: security@grafana.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Grafana Grafana | >=8.0.0<8.5.22 | |
| Grafana Grafana | >=9.2.0<9.2.15 | |
| Grafana Grafana | >9.3.0<9.3.11 | |
| redhat/Grafana | <8.5.22 | 8.5.22 |
| redhat/Grafana | <9.3.11 | 9.3.11 |
| redhat/Grafana | <9.2.15 | 9.2.15 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76
- https://grafana.com/security/security-advisories/cve-2023-1410/
- https://security.netapp.com/advisory/ntap-20230420-0003/
- https://grafana.com/blog/2023/03/22/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-1410/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2181438
- https://access.redhat.com/errata/RHSA-2023:7741
- https://bugzilla.redhat.com/show_bug.cgi?id=2181117
Frequently Asked Questions
What is CVE-2023-1410?
CVE-2023-1410 is a stored XSS vulnerability in Grafana's Graphite Function Description tooltip.
What is Grafana?
Grafana is an open-source platform for monitoring and observability.
What is the severity rating of CVE-2023-1410?
CVE-2023-1410 has a severity rating of 4.8 (medium).
Which software versions are affected by CVE-2023-1410?
Grafana versions between 8.0.0 and 8.5.22, versions between 9.2.0 and 9.2.15, and versions between 9.3.0 and 9.3.11 are affected by CVE-2023-1410.
How can I fix the CVE-2023-1410 vulnerability in Grafana?
To fix the CVE-2023-1410 vulnerability in Grafana, you should update to a version that is not affected by the vulnerability.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-1410
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/event
- vendor/grafana
- canonical/grafana grafana
- version/grafana grafana/8.0.0
- version/grafana grafana/9.2.0
- package-manager/redhat