In new alerting, the runbook URL is stored as an annotation for the alert rule and can be used to initiate a stored XSS attack.
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2107436]
$ depcli -svv grafana | grep rhel rhel-8.1.0.z grafana-6.2.2-7.el8_1 rhel-8.2.0.z grafana-6.3.6-3.el8_2 rhel-8.4.0.z grafana-7.3.6-4.el8_4 rhel-8.6.0.z grafana-7.5.11-2.el8 rhel-8.7.0 grafana-7.5.15-1.el8 rhel-9.0.0.z grafana-7.5.11-4.el9_0 rhel-9.1.0 grafana-7.5.15-1.el9 > This CVE only affects Grafana >= 8 [1], Hence our RHEL versions are not affected by this CVE. [1] https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f
This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642