CVE-2023-0594 HIGH

CVE-2023-0594

Vendor Grafana
Product Grafana
Weakness CWE-79 · XSS
Published March 1, 2023
Last update January 28, 2026
View on NVD All CVEs

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

Key dates

02Disclosure timeline

March 1, 2023 CVE published
January 28, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-9349 Auto Amazon Links – Amazon Associates Affiliate Plugin <= 5.4.2 - Reflected Cross-Site Scripting CVE-2025-69330 WordPress Prestige theme < 1.4.1 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-53233 WordPress Storyform plugin <= 0.6.14 - Cross Site Scripting (XSS) Vulnerability CVE-2023-32580 WordPress Password Protected Plugin <= 2.6.2 is vulnerable to Cross Site Scripting (XSS) CVE-2022-34650 WordPress Team plugin <= 1.2.6 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities