{ "document": { "aggregate_severity": { "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2022-23552: sanitize SVG inputs in GeoMap by adding a dompurify preprocessor\n step, preventing stored XSS where malicious SVG could execute arbitrary JavaScript", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/advisories/2025/clsa-2025_1757427057.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2025:1757427057", "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1757427057" } ], "tracking": { "current_release_date": "2026-02-16T09:37:00Z", "generator": { "date": "2026-02-16T09:37:00Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1757427057", "initial_release_date": "2025-09-09T14:11:34Z", "revision_history": [ { "date": "2025-09-09T14:11:34Z", "number": "1", "summary": "Initial version" }, { "date": "2026-02-16T09:37:00Z", "number": "2", "summary": "Update document" } ], "status": "final", "version": "2" }, "title": "grafana: Fix of CVE-2022-23552" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els9?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-23552", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" }, "notes": [ { "category": "description", "text": "Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. \n\nAn attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \n\nUsers may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2022-23552" }, { "category": "external", "summary": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0", "url": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0" }, { "category": "external", "summary": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f", "url": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f" }, { "category": "external", "summary": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a", "url": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a" }, { "category": "external", "summary": "https://github.com/grafana/grafana/pull/62143", "url": "https://github.com/grafana/grafana/pull/62143" }, { "category": "external", "summary": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv", "url": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20230302-0008/", "url": "https://security.netapp.com/advisory/ntap-20230302-0008/" } ], "release_date": "2023-01-27T23:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-09-09T14:10:59.897411Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1757427057", "product_ids": [ "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1757427057" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2024-1313", "cwe": { "id": "CWE-639", "name": "Authorization Bypass Through User-Controlled Key" }, "notes": [ { "category": "description", "text": "It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\nGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \nAlto Research for discovering and disclosing this vulnerability.\nThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-1313" } ], "release_date": "2024-03-26T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-09-09T14:10:59.897411Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1757427057", "product_ids": [ "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1757427057" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }