Moderate severityNVD Advisory· Published Mar 23, 2023· Updated Mar 4, 2025

Stored XSS in Graphite FunctionDescription tooltip

CVE-2023-1410

Description

Grafana is an open-source platform for monitoring and observability.

Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip.

The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.

An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.

Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/grafana/grafanaGo	>= 8.0.0, < 8.5.22	8.5.22
github.com/grafana/grafanaGo	>= 9.3.0, < 9.3.11	9.3.11
github.com/grafana/grafanaGo	>= 9.4.0, < 9.4.7	9.4.7
github.com/grafana/grafanaGo	>= 9.0.0, < 9.2.15	9.2.15

Affected products

Grafana/Grafanav5
Range: 8.0.0
Grafana/Grafana Enterprisev5
Range: 8.0.0

Patches

e59427c0747a

[v9.2.x] Fix xss in Graphite functions tooltip (#810)

https://github.com/grafana/grafanaismail simsekMar 16, 2023via ghsa

commit

1 file changed · +1 −3

public/app/plugins/datasource/graphite/components/FunctionEditorControls.tsx+1 −3 modified

@@ -11,11 +11,9 @@ export interface FunctionEditorControlsProps {
 }
 
 const FunctionDescription = React.lazy(async () => {
-  // @ts-ignore
-  const { default: rst2html } = await import(/* webpackChunkName: "rst2html" */ 'rst2html');
   return {
     default(props: { description?: string }) {
-      return <div dangerouslySetInnerHTML={{ __html: rst2html(props.description ?? '') }} />;
+      return <div>{props.description}</div>;
     },
   };
 });

42911348a76e

[v8.5.x] Fix xss in Graphite functions tooltip (#808)

https://github.com/grafana/grafanaismail simsekMar 16, 2023via ghsa

commit

1 file changed · +1 −3

public/app/plugins/datasource/graphite/components/FunctionEditorControls.tsx+1 −3 modified

@@ -11,11 +11,9 @@ export interface FunctionEditorControlsProps {
 }
 
 const FunctionDescription = React.lazy(async () => {
-  // @ts-ignore
-  const { default: rst2html } = await import(/* webpackChunkName: "rst2html" */ 'rst2html');
   return {
     default(props: { description?: string }) {
-      return <div dangerouslySetInnerHTML={{ __html: rst2html(props.description ?? '') }} />;
+      return <div>{props.description}</div>;
     },
   };
 });

f9548d33f862

[v9.3.x] Fix xss in Graphite functions tooltip (#806)

https://github.com/grafana/grafanaismail simsekMar 16, 2023via ghsa

commit

1 file changed · +1 −3

public/app/plugins/datasource/graphite/components/FunctionEditorControls.tsx+1 −3 modified

@@ -11,11 +11,9 @@ export interface FunctionEditorControlsProps {
 }
 
 const FunctionDescription = React.lazy(async () => {
-  // @ts-ignore
-  const { default: rst2html } = await import(/* webpackChunkName: "rst2html" */ 'rst2html');
   return {
     default(props: { description?: string }) {
-      return <div dangerouslySetInnerHTML={{ __html: rst2html(props.description ?? '') }} />;
+      return <div>{props.description}</div>;
     },
   };
 });

ef2eb2b6bf1d

[v9.4.x] Fix xss in Graphite functions tooltip (#805)

https://github.com/grafana/grafanaismail simsekMar 16, 2023via ghsa

commit

1 file changed · +1 −3

public/app/plugins/datasource/graphite/components/FunctionEditorControls.tsx+1 −3 modified

@@ -11,11 +11,9 @@ export interface FunctionEditorControlsProps {
 }
 
 const FunctionDescription = React.lazy(async () => {
-  // @ts-ignore
-  const { default: rst2html } = await import(/* webpackChunkName: "rst2html" */ 'rst2html');
   return {
     default(props: { description?: string }) {
-      return <div dangerouslySetInnerHTML={{ __html: rst2html(props.description ?? '') }} />;
+      return <div>{props.description}</div>;
     },
   };
 });

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000