CVE-2023-22462

Name of the Vulnerable Software and Affected Versions Grafana versions prior to 9.2.10 Grafana versions prior to 9.3.4

Description The issue is related to a stored XSS vulnerability affecting the core plugin "Text" in Grafana. This vulnerability requires several user interactions to be fully exploited and is possible due to React's render cycle passing through unsanitized HTML code. An attacker needs to have the Editor role to change a Text panel to include JavaScript, and another user needs to edit the same Text panel and click on "Markdown" or "HTML" for the code to be executed. This allows for vertical privilege escalation, where a user with Editor role can change a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard.

Recommendations Update your Grafana instance to version 9.2.10 or later. Update your Grafana instance to version 9.3.4 or later. As a temporary workaround, consider restricting the Editor role to minimize the risk of exploitation. Restrict access to the "Text" plugin to minimize the risk of exploitation. Avoid using the "Markdown" or "HTML" options in the Text panel until the issue is resolved.