GHSA-3cgw-hfw7-wc7j

Source

https://github.com/advisories/GHSA-3cgw-hfw7-wc7j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3cgw-hfw7-wc7j/GHSA-3cgw-hfw7-wc7j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3cgw-hfw7-wc7j

Withdrawn

2023-03-23T20:10:27Z

Published

2023-03-23T09:30:25Z

Modified

2025-02-13T18:41:49Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Duplicate Advisory: Grafana Stored Cross-site Scripting vulnerability

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-qrrg-gw7w-vp76. This link is maintained to preserve external references.

Original Description

Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.

Database specific

{
    "nvd_published_at": "2023-03-23T08:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2023-03-23T20:10:27Z",
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

Go / github.com/grafana/grafana

Package

Name: github.com/grafana/grafana; View open source insights on deps.dev
Purl: pkg:golang/github.com/grafana/grafana

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.5.22

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3cgw-hfw7-wc7j/GHSA-3cgw-hfw7-wc7j.json"

Go / github.com/grafana/grafana

Package

Name: github.com/grafana/grafana; View open source insights on deps.dev
Purl: pkg:golang/github.com/grafana/grafana

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0

Fixed

9.2.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3cgw-hfw7-wc7j/GHSA-3cgw-hfw7-wc7j.json"

Go / github.com/grafana/grafana

Package

Name: github.com/grafana/grafana; View open source insights on deps.dev
Purl: pkg:golang/github.com/grafana/grafana

Affected ranges

Type: SEMVER
Events: Introduced

9.3.0

Fixed

9.3.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3cgw-hfw7-wc7j/GHSA-3cgw-hfw7-wc7j.json"