CVE-2023-0594

Name of the Vulnerable Software and Affected Versions Grafana versions 7.0 through 8.5.20 Grafana versions 9.2.0 through 9.2.12 Grafana versions 9.3.0 through 9.3.7

Description Grafana has a stored XSS vulnerability in the trace view visualization. The vulnerability is possible due to the value of a span's attributes/resources not being properly sanitized, which will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role to change the value of a trace view visualization to contain JavaScript, allowing for vertical privilege escalation where a user with Editor role can change a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard.

Recommendations To resolve the issue, upgrade to version 8.5.21, 9.2.13, or 9.3.8 to receive a fix. As a temporary workaround, consider restricting the Editor role to minimize the risk of exploitation. Restrict access to the trace view visualization to minimize the risk of exploitation.