{"uuid": "030613f7-4147-4e7d-b7b9-2e8f9fd2234f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-0594", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/6887", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-0594\n\ud83d\udd25 CVSS Score: 7.3 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)\n\ud83d\udd39 Description: Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. \n\nThe stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded.\n\nAn attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. \n\nThis means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \n\nUsers may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix. \n\n\n\ud83d\udccf Published: 2023-03-01T15:36:43.881Z\n\ud83d\udccf Modified: 2025-03-07T19:34:28.387Z\n\ud83d\udd17 References:\n1. https://grafana.com/security/security-advisories/cve-2023-0594/", "creation_timestamp": "2025-03-07T20:40:33.000000Z"}