Cross-site scripting (XSS) vulnerability in Grafana

Cross-site scripting (XSS) vulnerability in Grafana 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Grafana versions prior to v10.4.18+security-01

Grafana versions prior to v11.2.9+security-01

Grafana versions prior to v11.3.6+security-01

Grafana versions prior to v11.4.4+security-01

Grafana versions prior to v11.5.4+security-01

Grafana versions prior to v11.6.1+security-01

Grafana versions prior to v12.0.0+security-01

Overview

A vulnerability has been reported in Grafana which could be exploited by an attacker to perform cross site scripting (XSS) attack on the targeted system.

Target Audience:

All end-user organizations using Grafana.

Risk Assessment:

Potential for Session hijacking, Credential theft, Malware injection, Phishing & Data exfiltration.

Impact Assessment:

High risk of exploitation of Server-side request forgery (SSRF) vulnerability.

Description

Grafana is an open-source platform for visualizing, monitoring, and alerting on time-series data from various data sources.

This vulnerability exists in Grafana by combining a client-side path traversal with an open redirect. An attacker could exploit this vulnerability by redirecting users to a website that hosts a frontend plugin that will execute arbitrary JavaScript.

Successful exploitation of this vulnerability could allow an attacker to perform cross site scripting on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://grafana.com/security/security-advisories/cve-2025-4123/

Vendor Information

Grafana

https://grafana.com/security/security-advisories/cve-2025-4123/

References

Grafana

https://grafana.com/security/security-advisories/cve-2025-4123/

CVE Name

CVE-2025-4123

Posted in Security

Related Posts

Recent Comments

No comments to show.