Bug 2364632 (CVE-2025-4123)
| Summary: | CVE-2025-4123 grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | lchilton, security-response-team, sfeifer |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Grafana's custom frontend plugin handling. This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by exploiting a client path traversal and an open redirect issue, leading to arbitrary JavaScript execution and potential user redirection to malicious websites. This attack can be carried out without requiring elevated privileges if anonymous access is enabled.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2025-05-07 07:39:52 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:7892 https://access.redhat.com/errata/RHSA-2025:7892 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:7893 https://access.redhat.com/errata/RHSA-2025:7893 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:7894 https://access.redhat.com/errata/RHSA-2025:7894 |