CVE-2023-1410: 
Grafana vulnerability analysis and mitigation

A stored XSS vulnerability (CVE-2023-1410) was discovered in Grafana versions 8.0.0 prior to 8.5.22, 9.2.0 prior to 9.2.15, and 9.3.0 prior to 9.3.11. The vulnerability exists in the Graphite FunctionDescription tooltip feature where function descriptions were not properly sanitized (Grafana Advisory, GitHub Advisory).

The vulnerability occurs when a Graphite data source is added to a dashboard. When using Functions feature, a tooltip appears when hovering over the function name, allowing users to delete the function or show its description. The vulnerability exists because no sanitization is performed when adding this description to the DOM. The issue is located in the file 'public/app/plugins/datasource/graphite/components/FunctionEditorControls.tsx' where rst2html parsing leaves HTML untouched, allowing XSS payloads to survive when applied using dangerouslySetInnerHTML (GitHub Advisory).

Successful exploitation could lead to disclosure of sensitive information or addition/modification of data. An attacker could execute arbitrary JavaScript in the victim's browser, potentially adding themselves as an admin if the victim has administrative privileges (NetApp Advisory, GitHub Advisory).

Users should upgrade to Grafana versions 8.5.22, 9.2.15, 9.3.11, or 9.4.7 to receive the fix (Grafana Advisory).