CVE-2022-39324 MEDIUM

CVE-2022-39324: Grafana vulnerable to spoofing originalUrl of snapshots

Vendor Grafana
Product grafana
Weakness CWE-79 · XSS
Published January 27, 2023
Last update January 28, 2026

CVSS base score

6.7/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.

Key dates

02Disclosure timeline

January 27, 2023 CVE published
January 28, 2026 Record updated