CVE-2023-0507
Published: 01 March 2023
Summary
CVE-2023-0507 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Grafana Grafana. Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Grafana, an open-source monitoring and observability platform, contains a stored cross-site scripting vulnerability in the core GeoMap plugin that affects versions in the 8.1 branch and later. The flaw stems from insufficient sanitization of map attributions, which permits arbitrary JavaScript to execute in the context of any authenticated user who views a compromised dashboard.
An attacker with Editor privileges can modify a panel to embed malicious JavaScript within a map attribution. When a user with higher privileges, such as an Administrator, subsequently views the dashboard, the script runs and can perform actions including changing the Administrator password, enabling vertical privilege escalation.
Official advisories from Grafana recommend upgrading to versions 8.5.21, 9.2.13, or 9.3.8 to remediate the issue; NetApp has also issued corresponding guidance for affected products.
The CVE carries a CVSS score of 7.3 and is tracked under CWE-79, with an EPSS score that has reached a peak of 0.6615.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1035
Vulnerability details
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed…
more
arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.