CVE & CISA-KEV Catalog

CVE-2022-23552

HIGH
7.3
CVSS v3
NVD

Description

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.

How to fix

Remediation Available
grafanaRocky
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
grafanaRed Hat / RHEL
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
grafana-debuginfoRed Hat / RHEL
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
grafana-debuginfoRocky
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
grafana-debugsourceRocky
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
grafana-debugsourceRed Hat / RHEL
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
Fixed in:0:9.2.10-7.el9_3RHSA-2023:6420
GrafanaEnterpriseWindows application
Affected:9.0.0 9.2.10Fixed in:9.2.10Grafana Labs
Affected:9.3.0 9.3.4Fixed in:9.3.4Grafana Labs
Affected:8.1.0 8.5.16Fixed in:8.5.16Grafana Labs
GrafanaOSSWindows application
Affected:9.0.0 9.2.10Fixed in:9.2.10Grafana Labs
Affected:9.3.0 9.3.4Fixed in:9.3.4Grafana Labs
Affected:8.1.0 8.5.16Fixed in:8.5.16Grafana Labs

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionRequired
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityNone

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Exploit Intelligence

0.78%probability of exploitation in 30 days
51stpercentile

Moderate risk: more likely to be exploited than 51% of all known CVEs.

References

Related Vulnerabilities

Other CWE-79 (Cross-Site Scripting (XSS)) vulnerabilities, ordered by exploit likelihood. View all

CVESeverityCVSSEPSSExploitedFix
CVE-2020-11022Medium6.999%-Fix
CVE-2019-3929Critical9.899%KEVFix
CVE-2020-9496Medium6.199%--
CVE-2023-28341Medium6.199%-Fix
CVE-2018-12998Medium6.198%--
CVE-2025-4123High7.698%-Fix
Embed a live status badge for CVE-2022-23552
CVE-2022-23552 severity badge

Markdown

[![CVE-2022-23552](https://tridentstack.com/cve/badge/CVE-2022-23552.svg)](https://tridentstack.com/cve/CVE-2022-23552)

HTML

<a href="https://tridentstack.com/cve/CVE-2022-23552"><img src="https://tridentstack.com/cve/badge/CVE-2022-23552.svg" alt="CVE-2022-23552"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.