FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Grafana -- Stored XSS in text panel plugin

Affected packages
9.2.0 <= grafana < 9.2.10
9.3.0 <= grafana < 9.3.4
9.2.0 <= grafana9 < 9.2.10
9.3.0 <= grafana9 < 9.3.4

Details

VuXML ID 6dccc186-b824-11ed-b695-6c3be5272acd
Discovery 2023-01-01
Entry 2023-03-01

Grafana Labs reports:

During an internal audit of Grafana on January 1, a member of the security team found a stored XSS vulnerability affecting the core text plugin.

The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React’s render cycle that will pass through the unsanitized HTML code, but in the next cycle, the HTML is cleaned up and saved in Grafana’s database.

The CVSS score for this vulnerability is 6.4 Medium (CVSS:6.4/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).

References

CVE Name CVE-2023-22462
URL https://github.com/grafana/grafana/security/advisories/GHSA-7rqg-hjwc-6mjf