Vtorosyan

**Name of the Vulnerable Software and Affected Versions** Grafana versions prior to 9.2.10 Grafana versions prior to 9.3.4 **Description** The issue is related to the caching of datasource queries in Grafana, which includes caching of the `grafana session` header. This allows any user querying a datasource with caching enabled to potentially acquire another user's session. **Recommendations** For versions prior to 9.2.10, disable datasource query caching for all datasources as a mitigation measure. For versions prior to 9.3.4, disable datasource query caching for all datasources as a mitigation measure. As a temporary workaround, consider disabling the datasource query caching for all datasources until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Grafana versions prior to 9.2.10 Grafana versions prior to 9.3.4 **Description** The issue is related to a stored XSS vulnerability affecting the core plugin "Text" in Grafana. This vulnerability requires several user interactions to be fully exploited and is possible due to React's render cycle passing through unsanitized HTML code. An attacker needs to have the Editor role to change a Text panel to include JavaScript, and another user needs to edit the same Text panel and click on "Markdown" or "HTML" for the code to be executed. This allows for vertical privilege escalation, where a user with Editor role can change a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. **Recommendations** Update your Grafana instance to version 9.2.10 or later. Update your Grafana instance to version 9.3.4 or later. As a temporary workaround, consider restricting the Editor role to minimize the risk of exploitation. Restrict access to the "Text" plugin to minimize the risk of exploitation. Avoid using the "Markdown" or "HTML" options in the Text panel until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Grafana versions 8.1 through 8.5.15 Grafana versions 9.2.0 through 9.2.9 Grafana versions 9.3.0 through 9.3.3 **Description** Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. **Recommendations** For versions 8.1 through 8.5.15, upgrade to version 8.5.16 to receive a fix. For versions 9.2.0 through 9.2.9, upgrade to version 9.2.10 to receive a fix. For versions 9.3.0 through 9.3.3, upgrade to version 9.3.4 to receive a fix.

**Name of the Vulnerable Software and Affected Versions** Grafana versions prior to 8.5.16 and 9.2.8 **Description** The issue allows a malicious user to create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the real original dashboard but to the attacker’s injected URL. **Recommendations** For versions prior to 8.5.16, update to version 8.5.16 or later. For versions prior to 9.2.8, update to version 9.2.8 or later. As a temporary workaround, consider restricting access to the snapshot feature until a patch is available. Avoid using the `originalUrl` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Grafana versions prior to 8.5.15 Grafana versions 9.0.0 through 9.2.3 **Description** Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the "/api/user/password/sent-reset-email" URL. When the `username` or `email` does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. **Recommendations** For Grafana versions prior to 8.5.15, update to version 8.5.15 or later. For Grafana versions 9.0.0 through 9.2.3, update to version 9.2.4 or later. As a temporary workaround, consider restricting access to the `/api/user/password/sent-reset-email` API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Grafana versions prior to 8.5.13 Grafana versions prior to 9.0.9 Grafana versions prior to 9.1.6 **Description** The issue is related to Improper Preservation of Permissions, resulting in privilege escalation on some folders where Admin is the only used permission. This occurs when RBAC was disabled and then enabled, as the migrations translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin. As a result, RBAC adds permissions for Editors and Viewers, allowing them to edit and view folders. **Recommendations** For versions prior to 8.5.13, update to version 8.5.13 or later. For versions prior to 9.0.9, update to version 9.0.9 or later. For versions prior to 9.1.6, update to version 9.1.6 or later. As a temporary workaround when the impacted folder/dashboard is known, consider removing the additional permissions manually.