[FREEBSD:E2A8E2BD-B808-11ED-B695-6C3BE5272ACD] Grafana -- Stored XSS in geomap panel plugin via attribution

Severity Medium

Affected Packages 3

CVEs 1

Grafana Labs reports:

  During an internal audit of Grafana on January 25, a member of the security
  team found a stored XSS vulnerability affecting the core geomap plugin.
  The stored XSS vulnerability was possible because map attributions weren’t
  properly sanitized, allowing arbitrary JavaScript to be executed in the context
  of the currently authorized user of the Grafana instance.
  The CVSS score for this vulnerability is 7.3 High
  (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

Package	Affected Version
pkg:freebsd/grafana9	< 9.2.13
pkg:freebsd/grafana8	< 8.5.21
pkg:freebsd/grafana	< 8.5.21

ID

FREEBSD:E2A8E2BD-B808-11ED-B695-6C3BE5272ACD

Severity

medium

Severity from

CVE-2023-0507

URL

http://vuxml.freebsd.org/freebsd/e2a8e2bd-b808-11ed-b695-6c3be5272acd.html

Published

2023-01-25T00:00:00
(20 months ago)

Modified

2023-03-01T00:00:00
(18 months ago)

Rights

FreeBSD VuXML Security Team

Other Advisories

Source	# ID	Name	URL
FreeBSD VuXML			https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/

Type	Package URL	Name / Product	Version
Affected	pkg:freebsd/grafana9	grafana9	< 9.2.13
Affected	pkg:freebsd/grafana8	grafana8	< 8.5.21
Affected	pkg:freebsd/grafana	grafana	< 8.5.21

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date