Cyber Resilience

CVE-2023-0507

High

Published: 01 March 2023

Published
01 March 2023
Modified
13 February 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.6058 98.3th percentile
Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0507 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Grafana Grafana. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Grafana, an open-source monitoring and observability platform, contains a stored cross-site scripting vulnerability in the core GeoMap plugin that affects versions in the 8.1 branch and later. The flaw stems from insufficient sanitization of map attributions, which permits arbitrary JavaScript to execute in the context of any authenticated user who views a compromised dashboard.

An attacker with Editor privileges can modify a panel to embed malicious JavaScript within a map attribution. When a user with higher privileges, such as an Administrator, subsequently views the dashboard, the script runs and can perform actions including changing the Administrator password, enabling vertical privilege escalation.

Official advisories from Grafana recommend upgrading to versions 8.5.21, 9.2.13, or 9.3.8 to remediate the issue; NetApp has also issued corresponding guidance for affected products.

The CVE carries a CVSS score of 7.3 and is tracked under CWE-79, with an EPSS score that has reached a peak of 0.6615.

EU & UK References

Vulnerability details

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed…

more

arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

grafana
grafana
8.1.0 — 8.5.21 · 9.2.0 — 9.2.13 · 9.3.0 — 9.3.8

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References