CVE-2022-21702

Name of the Vulnerable Software and Affected Versions Grafana (affected versions not specified)

Description The issue allows an attacker to serve HTML content through the Grafana datasource or plugin proxy, tricking a user into visiting a specially crafted HTML page and executing a Cross-site Scripting (XSS) attack. This can be done by compromising an existing datasource or setting up a public service and instructing users to set it up in their Grafana instance. The attacker must be in control of the HTTP server serving the URL of the datasource or plugin and have a specially crafted link clicked on by an authenticated user. There are no known workarounds for this issue.

Recommendations Update to a patched version. As a temporary workaround, consider restricting access to the datasource and plugin proxies until a patch is available. Avoid using specially crafted links that point to attacker-controlled datasources or plugins until the issue is resolved. Restrict access to compromised plugins to minimize the risk of exploitation.