2381568 – (CVE-2025-6023) CVE-2025-6023 grafana: Cross Site Scripting in Grafana

Bug 2381568 (CVE-2025-6023) - CVE-2025-6023 grafana: Cross Site Scripting in Grafana

Summary: CVE-2025-6023 grafana: Cross Site Scripting in Grafana

Keywords:
Status:	NEW
Alias:	CVE-2025-6023
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-07-17 02:27 UTC by OSIDB Bzimport
Modified:	2025-07-24 03:09 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-07-17 02:27:25 UTC

A vulnerability was identified, a cross-site scripting (XSS) in Grafana caused by client path traversal and open redirect. This allows attackers to redirect users to malicious websites that execute arbitrary JavaScript code in scripted dashboards. Unlike many other XSS vulnerabilities, this vulnerability does not require editor permissions. If anonymous access is enabled, the XSS will work.

This XSS vulnerability could enable the redirection of users to external websites and the execution of malicious JavaScript within their browsers. Successful exploitation of this vulnerability might result in session hijacking or complete account takeover.

Note You need to log in before you can comment on or make changes to this bug.