Skip to main content

Grafana CVE-2022-31097

HIGH
Cross-site Scripting (XSS) (CWE-79)
2022-07-15 security-advisories@github.com
8.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 15, 2022 - 12:15 nvd
HIGH 8.7

DescriptionNVD

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.

AnalysisAI

Grafana is an open-source platform for monitoring and observability. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting. Affected products include: Grafana, Netapp E-Series Performance Analyzer. Version information: prior to 9.0.3.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2023-34111 CRITICAL POC
9.8 Jun 06

The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerabili

CVE-2022-26148 CRITICAL POC
9.8 Mar 21

An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. Rated critical severity (CVSS 9.8), this

CVE-2020-27846 CRITICAL POC
9.8 Dec 21

A signature verification vulnerability exists in crewjam/saml. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2018-15727 CRITICAL POC
9.8 Aug 29

Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generat

CVE-2024-9264 CRITICAL POC
9.4 Oct 18

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input.

CVE-2023-36649 CRITICAL POC
9.1 Dec 12

Insertion of sensitive information in the centralized (Grafana) logging system in ProLion CryptoSpike 3.0.15P2 allows re

CVE-2025-4123 HIGH POC
7.6 May 22

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redire

CVE-2020-13379 HIGH POC
8.2 Jun 03

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. Rated high severity (CVSS

CVE-2023-1387 HIGH POC
7.5 Apr 26

Grafana is an open-source platform for monitoring and observability. Rated high severity (CVSS 7.5), this vulnerability

CVE-2022-32276 HIGH POC
7.5 Jun 17

Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. Rated high severity (

CVE-2022-32275 HIGH POC
7.5 Jun 06

Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. Rated high

CVE-2021-43798 HIGH POC
7.5 Dec 07

Grafana is an open-source platform for monitoring and observability. Rated high severity (CVSS 7.5), this vulnerability

Share

CVE-2022-31097 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy