2181117 – (CVE-2023-1410) CVE-2023-1410 grafana: Stored XSS in Graphite FunctionDescription tooltip

Bug 2181117 (CVE-2023-1410) - CVE-2023-1410 grafana: Stored XSS in Graphite FunctionDescription tooltip

Summary: CVE-2023-1410 grafana: Stored XSS in Graphite FunctionDescription tooltip

Keywords:
Status:	NEW
Alias:	CVE-2023-1410
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2181123 2181124 2181438 2181439 2254043
Blocks:	2181118
TreeView+	depends on / blocked

Reported:	2023-03-23 06:48 UTC by Avinash Hanwate
Modified:	2024-03-02 05:32 UTC (History)
CC List:	25 users (show)
Fixed In Version:	Grafana 8.5.22, Grafana 9.3.11, Grafana 9.2.15
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Grafana. This flaw allows an attacker to host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:7741	0	None	None	None	2023-12-12 13:56:29 UTC

Description Avinash Hanwate 2023-03-23 06:48:19 UTC

When a Graphite data source is added, one can use this data source in a dashboard. This contains a feature to use Functions. Once a function is selected, a small tooltip will be shown when hovering over the name of the function. This tooltip will allow you to delete the selected Function from your query or show the Function Description. However, no sanitization is done when adding this description to the DOM. 

Since it is not uncommon to connect to public data sources, an attacker could host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.

Comment 2 TEJ RATHI 2023-03-23 12:40:06 UTC

Reference: 
https://grafana.com/blog/2023/03/22/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-1410/

Comment 3 TEJ RATHI 2023-03-24 06:20:44 UTC

Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2181438]

Comment 7 errata-xmlrpc 2023-12-12 13:56:26 UTC

This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:7741 https://access.redhat.com/errata/RHSA-2023:7741

Note You need to log in before you can comment on or make changes to this bug.

amctagga
aoconnor
bniver
dfreiber
flucifre
gmeno
gparvin
grafana-maint
jburrell
jkurik
jwendell
mbenjamin
mhackett
nathans
njean
owatkins
pahickey
rcernich
rogbas
sostapov
stcannon
teagle
twalsh
vereddy
vkumar