CVE-2022-39324 Grafana vulnerable to spoofing originalUrl of snapshots

🗓️ 27 Jan 2023 22:42:01Reported by GitHub_MType

Grafana allows malicious users to spoof originalUrl of snapshot

Reporter	Title	Published	Views	Family All 99
IBM Security Bulletins	Security Bulletin: IBM Storage Ceph is vulnerable to Cross Site Scripting in Grafana (CVE-2022-39324)	18 Jan 202414:20	–	ibm
IBM Security Bulletins	Security Bulletin: Netcool Operations Insight v1.6.8 addresses multiple security vulnerabilities.	11 Apr 202311:47	–	ibm
AlmaLinux	Moderate: grafana security and enhancement update	7 Nov 202300:00	–	almalinux
BDU FSTEC	The vulnerability of the Grafana monitoring and observation platform lies in the improper handling of input during the creation of a web page. This allows a hacker to inject the entered URL address into the system.	5 Apr 202400:00	–	bdu_fstec
Chainguard	CVE-2022-39324 vulnerabilities	27 Jan 202323:15	–	cgr
Circl	CVE-2022-39324	28 Jan 202302:34	–	circl
CNNVD	Grafana 跨站脚本漏洞	27 Jan 202300:00	–	cnnvd
CVE	CVE-2022-39324	27 Jan 202322:42	–	cve
FreeBSD	Grafana -- Spoofing originalUrl of snapshots	25 Jan 202300:00	–	freebsd
FreeBSD	Grafana -- Stored XSS in ResourcePicker component	16 Dec 202200:00	–	freebsd

[
  {
    "vendor": "grafana",
    "product": "grafana",
    "versions": [
      {
        "version": "< 8.5.16",
        "status": "affected"
      },
      {
        "version": ">= 9.0.0, < 9.2.8",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a
github	www.github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c
github	www.github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw
github	www.github.com/grafana/grafana/pull/60256
github	www.github.com/grafana/grafana/pull/60232

27 Jan 2023 22:42Current

7High risk

Vulners AI Score7

CVSS 3.16.7

EPSS0.00828

CWE-79