4.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-3cgw-hfw7-wc7j

GHSA-3cgw-hfw7-wc7j: Duplicate Advisory: Grafana Stored Cross-site Scripting vulnerability

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-qrrg-gw7w-vp76. This link is maintained to preserve external references.

Original Description

Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-3cgw-hfw7-wc7j

GHSA-3cgw-hfw7-wc7j:

4.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/grafana/grafana	go	< 8.5.22	8.5.22
github.com/grafana/grafana	go	>= 9.0.0, < 9.2.15	9.2.15
github.com/grafana/grafana	go	>= 9.3.0, < 9.3.11	9.3.11

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the FunctionDescription component in Graphite datasource handling. The advisory explicitly shows the component uses dangerouslySetInnerHTML with raw rst2html output, which doesn't perform HTML sanitization. This allows XSS payloads in Graphite function descriptions to execute when rendered. The file path and component structure match the technical details provided in the security advisory's mitigation section.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.8

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-3cgw-hfw7-wc7j: Duplicate Advisory: Grafana Stored Cross-site Scripting vulnerability

Duplicate Advisory

Original Description

GHSA-3cgw-hfw7-wc7j:

4.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

4.8

4.8

GHSA-3cgw-hfw7-wc7j: Duplicate Advisory: Grafana Stored Cross-site Scripting vulnerability

Duplicate Advisory

Original Description

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI