Bug 2364632 (CVE-2025-4123)
| Summary: | CVE-2025-4123 grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | lchilton, security-response-team, sfeifer |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Grafana's custom frontend plugin handling. This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by exploiting a client path traversal and an open redirect issue, leading to arbitrary JavaScript execution and potential user redirection to malicious websites. This attack can be carried out without requiring elevated privileges if anonymous access is enabled.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2025-05-07 07:39:52 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:7892 https://access.redhat.com/errata/RHSA-2025:7892 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:7893 https://access.redhat.com/errata/RHSA-2025:7893 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:7894 https://access.redhat.com/errata/RHSA-2025:7894 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:8665 https://access.redhat.com/errata/RHSA-2025:8665 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2025:8684 https://access.redhat.com/errata/RHSA-2025:8684 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2025:8685 https://access.redhat.com/errata/RHSA-2025:8685 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:8681 https://access.redhat.com/errata/RHSA-2025:8681 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Via RHSA-2025:8683 https://access.redhat.com/errata/RHSA-2025:8683 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:8679 https://access.redhat.com/errata/RHSA-2025:8679 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2025:8680 https://access.redhat.com/errata/RHSA-2025:8680 |