CVE-2023-1410

Name of the Vulnerable Software and Affected Versions Grafana versions prior to 8.5.22 Grafana versions prior to 9.2.15 Grafana versions prior to 9.3.11

Description Grafana is an open-source platform for monitoring and observability. A stored XSS vulnerability was found in the Graphite FunctionDescription tooltip. The vulnerability is possible due to the value of the Function Description not being properly sanitized. An attacker needs to have control over the Graphite data source to manipulate a function description, and a Grafana admin needs to configure the data source. Later, a Grafana user needs to select a tampered function and hover over the description. This can allow an attacker to execute arbitrary JavaScript in the browser of the victim, potentially leading to adding the attacker as an admin.

Recommendations To resolve the issue, upgrade to version 8.5.22, 9.2.15, or 9.3.11 to receive a fix. As a temporary workaround, consider disabling the FunctionDescription feature until a patch is available. Restrict access to the Graphite data source to minimize the risk of exploitation. Avoid using the FunctionDescription tooltip in the affected API endpoint until the issue is resolved.