Cyber Resilience

CVE-2023-0594

High

Published: 01 March 2023

Published
01 March 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.3664 97.2th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0594 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Grafana Grafana. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Grafana, an open-source monitoring and observability platform, contains a stored cross-site scripting vulnerability in its trace view visualization that has existed since the 7.0 release branch. The flaw stems from insufficient sanitization of span attributes and resources, which are rendered without escaping when expanded in the visualization, allowing arbitrary JavaScript to be stored and later executed in users' browsers.

An authenticated user with the Editor role can modify a trace view panel to embed malicious JavaScript in span attributes. When a user with higher privileges, such as an Administrator, subsequently views the affected dashboard, the script executes in their context, enabling vertical privilege escalation such as password changes or other administrative actions.

The official Grafana advisory recommends upgrading to versions 8.5.21, 9.2.13, or 9.3.8 to remediate the issue; a corresponding NetApp advisory (NTAP-20230331-0007) addresses affected downstream products.

EPSS scores for the vulnerability rose from a low baseline to a peak of 0.5200 on 2026-02-03 before receding to the current value of 0.3664, indicating measurable post-disclosure exploitation interest.

EU & UK References

Vulnerability details

Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not…

more

properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

grafana
grafana
7.0.0 — 8.5.21 · 9.2.0 — 9.2.13 · 9.3.0 — 9.3.8

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References