Moderate severityNVD Advisory· Published Mar 1, 2023· Updated Jan 28, 2026

CVE-2023-0594

Description

Grafana is an open-source platform for monitoring and observability.

Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization.

The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded.

An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript.

This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard.

Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/grafana/grafanaGo	>= 7.0.0, < 8.5.21	8.5.21
github.com/grafana/grafanaGo	>= 9.0.0, < 9.2.13	9.2.13
github.com/grafana/grafanaGo	>= 9.3.0, < 9.3.8	9.3.8

Affected products

Grafana/Grafanav5
Range: 7.0.0
Grafana/Grafana Enterprisev5
Range: 7.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-xw5p-hw8j-xg4qghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-0594ghsaADVISORY
grafana.com/security/security-advisories/cve-2023-0594ghsaWEB
grafana.com/security/security-advisories/cve-2023-0594/mitre

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.029
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000