Bug 2381568 (CVE-2025-6023)

Summary:	CVE-2025-6023 grafana: Cross Site Scripting in Grafana
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	lchilton, security-response-team, sfeifer
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A Cross-site scripting (XSS) vulnerability was found in Grafana caused by client path traversal and open redirect. This flaw allows attackers to redirect users to malicious websites that execute arbitrary JavaScript code in scripted dashboards. Unlike many other XSS vulnerabilities, this vulnerability does not require editor permissions. If anonymous access is enabled, the XSS attack will be successful.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-07-17 02:27:25 UTC

A vulnerability was identified, a cross-site scripting (XSS) in Grafana caused by client path traversal and open redirect. This allows attackers to redirect users to malicious websites that execute arbitrary JavaScript code in scripted dashboards. Unlike many other XSS vulnerabilities, this vulnerability does not require editor permissions. If anonymous access is enabled, the XSS will work.

This XSS vulnerability could enable the redirection of users to external websites and the execution of malicious JavaScript within their browsers. Successful exploitation of this vulnerability might result in session hijacking or complete account takeover.