CVE-2023-0507

Name of the Vulnerable Software and Affected Versions Grafana versions 8.1 through 8.5.20 Grafana versions 9.0 through 9.2.12 Grafana versions 9.3 through 9.3.7

Description The stored XSS vulnerability in the core plugin GeoMap of Grafana is possible due to map attributions not being properly sanitized, allowing arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role to change a panel to include a map attribution containing JavaScript, which can lead to vertical privilege escalation. This means a user with the Editor role can change the password of a user with the Admin role if the Admin user executes malicious JavaScript while viewing a dashboard.

Recommendations To resolve the issue, upgrade to version 8.5.21, 9.2.13, or 9.3.8 to receive a fix. As a temporary workaround, consider restricting access to the GeoMap plugin for users with the Editor role until a patch is available. Restrict the ability to change map attributions to only Admin users to minimize the risk of exploitation. Avoid using the GeoMap plugin until the issue is resolved.