FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Grafana -- Stored XSS in TraceView panel

Affected packages
grafana < 8.5.21
9.0.0 <= grafana < 9.2.13
9.3.0 <= grafana < 9.3.8
grafana8 < 8.5.21
9.0.0 <= grafana9 < 9.2.13
9.3.0 <= grafana9 < 9.3.8

Details

VuXML ID e7841611-b808-11ed-b695-6c3be5272acd
Discovery 2023-01-30
Entry 2023-03-01

Grafana Labs reports:

During an internal audit of Grafana on January 30, a member of the engineering team found a stored XSS vulnerability affecting the TraceView panel.

The stored XSS vulnerability was possible because the value of a span’s attributes/resources were not properly sanitized, and this will be rendered when the span’s attributes/resources are expanded.

The CVSS score for this vulnerability is 7.3 High (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

References

CVE Name CVE-2023-0594
URL https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/