FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-25 11:22:49 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
955eb3cc-ce0b-11ed-825f-6c3be5272acd	Grafana -- Stored XSS in Graphite FunctionDescription tooltip Grafana Labs reports: When a user adds a Graphite data source, they can then use the data source in a dashboard. This capability contains a feature to use Functions. Once a function is selected, a small tooltip appears when hovering over the name of the function. This tooltip allows you to delete the selected Function from your query or show the Function Description. However, no sanitization is done when adding this description to the DOM. Since it is not uncommon to connect to public data sources, an attacker could host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed. The severity of this vulnerability is of CVSSv3.1 5.7 Medium (CVSS: AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N (5.7)). Discovery 2023-03-14 Entry 2023-03-29 grafana < 8.5.22 ge 9.0.0 lt 9.2.15 ge 9.3.0 lt 9.3.11 ge 9.4.0 lt 9.4.7 grafana8 < 8.5.22 grafana9 < 9.2.15 ge 9.3.0 lt 9.3.11 ge 9.4.0 lt 9.4.7 CVE-2023-1410 https://grafana.com/security/security-advisories/cve-2023-1410/

VuXML ID

Description

955eb3cc-ce0b-11ed-825f-6c3be5272acd

Grafana -- Stored XSS in Graphite FunctionDescription tooltip

Grafana Labs reports:

When a user adds a Graphite data source, they can then use the data source in a dashboard. This capability contains a feature to use Functions. Once a function is selected, a small tooltip appears when hovering over the name of the function. This tooltip allows you to delete the selected Function from your query or show the Function Description. However, no sanitization is done when adding this description to the DOM.

Since it is not uncommon to connect to public data sources, an attacker could host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.

The severity of this vulnerability is of CVSSv3.1 5.7 Medium (CVSS: AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N (5.7)).

Discovery 2023-03-14
Entry 2023-03-29
grafana

< 8.5.22

ge 9.0.0 lt 9.2.15

ge 9.3.0 lt 9.3.11

ge 9.4.0 lt 9.4.7

grafana8

< 8.5.22

grafana9

< 9.2.15

ge 9.3.0 lt 9.3.11

ge 9.4.0 lt 9.4.7

CVE-2023-1410
https://grafana.com/security/security-advisories/cve-2023-1410/