Miggo Logo

CVE-2022-31097: Grafana Stored Cross-site Scripting in Unified Alerting

7.3

CVSS Score
3.1

Basic Information

EPSS Score
0.97641%
Published
5/14/2024
Updated
11/18/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/grafana/grafanago>= 9.0.0, < 9.0.39.0.3
github.com/grafana/grafanago>= 8.5.0, < 8.5.98.5.9
github.com/grafana/grafanago>= 8.4.0, < 8.4.108.4.10
github.com/grafana/grafanago>= 8.0.0, < 8.3.108.3.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability information describes a stored XSS in Grafana's Unified Alerting feature but does not include specific code references, commit diffs, or patch details. While the advisory clearly identifies the vulnerable component (Unified Alerting) and attack vector (stored XSS via crafted alert content), there is insufficient technical detail to determine the exact vulnerable functions. The CWE-79 classification confirms improper input sanitization, but without access to the specific code changes in versions 8.3.10/8.4.10/8.5.9/9.0.3, we cannot confidently identify the exact functions responsible for rendering or processing alert content that lacked proper HTML escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

To**y w* *r* r*l**sin* *r***n* *.*.**, *.*.**, *.*.* *n* *.*.*. T*is p*t** r*l**s* in*lu**s * *I** s*v*rity s**urity *ix *or * stor** *ross Sit* S*riptin* in *r***n*. R*l**s* v.*.*.*, *ont*inin* t*is s**urity *ix *n* ot**r p*t***s: - [*ownlo** *r**

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s * stor** XSS in *r***n*'s Uni*i** *l*rtin* ***tur* *ut *o*s not in*lu** sp**i*i* *o** r***r*n**s, *ommit *i**s, or p*t** **t*ils. W*il* t** **visory *l**rly i**nti*i*s t** vuln*r**l* *ompon*nt (Uni*i**