Grafana OSS Cross-Site Scripting Vulnerability via Open Redirect and Path Traversal

A cross-site scripting (XSS) vulnerability has been identified in Grafana OSS versions 11.5.0 and later, excluding the patched versions in the 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01 releases. This vulnerability arises from an open redirect that can be exploited to execute arbitrary JavaScript in scripted dashboards. The issue can be chained with path traversal vulnerabilities to achieve XSS. Notably, this vulnerability does not require editor permissions to exploit. In Grafana Cloud, the absence of a proper Content-Security-Policy directive allows the execution of external JavaScript, increasing the risk of exploitation.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute malicious JavaScript in the context of the user's browser. This could lead to session hijacking or a complete account takeover.

Remediation

Users can upgrade to Grafana versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 or 11.3.8+security-01. Grafana Cloud users have already been patched. For self-hosted Grafana, the default Content Security Policy can be adjusted to include a 'connect-src' directive, blocking the fetch of external JavaScript.