CVE-2023-0594
Published: Mar 1, 2023
Modified: Jan 28, 2026
CVSS v3.1
7.3
Description
Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.
| Vendor | Product | Versions |
|---|---|---|
Grafana | Grafana | affected 7.0.0 - < 8.5.21affected 9.0.0 - < 9.2.13affected 9.3.0 - < 9.3.8 |
Grafana | Grafana Enterprise | affected 7.0.0 - < 8.5.21affected 9.0.0 - < 9.2.13affected 9.3.0 - < 9.3.8 |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now