FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Grafana -- Stored XSS in ResourcePicker component

Affected packages
8.1.0 <= grafana < 8.5.16
9.0.0 <= grafana < 9.2.10
9.3.0 <= grafana < 9.3.4
8.1.0 <= grafana8 < 8.5.16
9.0.0 <= grafana9 < 9.2.10
9.3.0 <= grafana9 < 9.3.4

Details

VuXML ID ecffb881-a7a7-11ed-8d6a-6c3be5272acd
Discovery 2022-12-16
Entry 2023-02-09

Grafana Labs reports:

On 2022-12-16 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin GeoMap.

The stored XSS vulnerability was possible due to SVG-files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.

References

CVE Name CVE-2022-23552
URL https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv