Volkov Labs Business Links Grafana Plugin Privilege Escalation Vulnerability

A vulnerability in the Volkov Labs Business Links panel for Grafana, prior to version 2.4.0, allows a malicious actor with Editor privileges to escalate their rights to Administrator. This privilege escalation enables the execution of arbitrary administrative actions. The issue arises from the plugin's acceptance of arbitrary JavaScript code in the [Layout] → [Link] → [URL] field. When an Administrator clicks a link containing the injected JavaScript, the Editor's privileges are elevated.

Impact

Exploitation of this vulnerability allows an Editor to gain Administrator privileges, undermining the role-based access control (RBAC) model. An escalated user can fully control the Grafana instance, including user management, data access, and plugin installation.

Reproduction

To reproduce this vulnerability, log into Grafana as a user with Editor privileges. Navigate to the Business Links panel and inject a JavaScript payload into the URL field. This payload should be crafted to exploit the arbitrary code execution vulnerability by, for example, sending a request to the Grafana API to change the user's role to Administrator. Once the payload is injected, click the link to execute the JavaScript, which will escalate the privileges to Administrator.

Remediation

Users are advised to update to Volkov Labs Business Links version 2.4.0 or later, which addresses this vulnerability by sanitizing the URL input to prevent JavaScript injection. Additionally, consider implementing Content Security Policy (CSP) headers to further enhance security.