XSS in Grafana XY Chart Plugin
Medium
| Advisory ID: | CVE-2025-2703 |
| Published: | 2025-04-23 |
| Product: | Grafana |
| CVSS Score: | 6.8 |
| CVSS Vector: | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L |
| Fixed Versions: | >=11.6.0+security-01 >=11.5.3+security-01 >=11.4.3+security-01 >=11.3.5+security-01 >=11.2.8+security-01 |
Summary
The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.
This vulnerability first appeared in Grafana v11.1.0, and is fixed in 11.6.0+security-01, 11.5.3+security-01, 11.4.3+security-01, 11.3.5+security-01 and 11.2.8+security-01