Cyber Resilience

CVE-2023-22462

Medium

Published: 02 March 2023

Published
02 March 2023
Modified
21 November 2024
KEV Added
Patch
28 February 2023
CVSS Score v3.1 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.1776 95.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22462 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Grafana Grafana. Its CVSS base score is 6.4 (Medium).

Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Grafana, an open-source monitoring and observability platform, contains a stored cross-site scripting vulnerability in its core Text plugin. The flaw stems from React's render cycle temporarily passing unsanitized HTML before it is cleaned and persisted to the database, allowing an Editor-privileged user to embed executable JavaScript in a Text panel. The issue is tracked as CWE-79 with a CVSS 3.1 score of 6.4.

An attacker with the Editor role can modify a Text panel to include malicious JavaScript. When a second user, such as one holding the Admin role, subsequently edits the same panel and selects the Markdown or HTML view, the script executes in that user's browser context. This interaction enables vertical privilege escalation, for example by capturing or resetting credentials of higher-privileged accounts.

The vulnerability was addressed in Grafana releases 9.2.10 and 9.3.4. Official advisories, including the GitHub Security Advisory GHSA-7rqg-hjwc-6mjf and the Grafana security blog post of 28 February 2023, recommend upgrading to these or later versions; NetApp has also published a corresponding advisory (NTAP-20230413-0004).

EPSS scores have remained in a narrow band between 0.1776 and a peak of 0.2005, indicating moderate but stable exploitation interest since disclosure.

EU & UK References

Vulnerability details

Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user…

more

interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana's database. An attacker needs to have the Editor role in order to change a Text panel to include JavaScript. Another user needs to edit the same Text panel, and click on "Markdown" or "HTML" for the code to be executed. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. This issue has been patched in versions 9.2.10 and 9.3.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

grafana
grafana
9.2.0 — 9.2.10 · 9.3.0 — 9.3.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References