Home

CVE-2025-4123

Description

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.The default Content-Security-Policy (CSP) in Grafana will block the XSS though the connect-src directive.

Risk Information

Base Score
6.1
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
6.301

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2025-4123 are affected in GrafanaEnterprise 10.4.17Windows
Vulnerabilities CVE-2025-4123 are affected in GrafanaEnterprise 10.4.18Windows
Vulnerabilities CVE-2025-4123 are affected in GrafanaEnterprise 11.2.8Windows
Vulnerabilities CVE-2025-4123 are affected in GrafanaEnterprise 11.2.9Windows
Vulnerabilities CVE-2025-4123 are affected in GrafanaEnterprise 11.3.5Windows
Vulnerabilities CVE-2025-4123 are affected in GrafanaEnterprise 11.3.6Windows
Vulnerabilities CVE-2025-4123 are affected in GrafanaEnterprise 11.4.3Windows
Vulnerabilities CVE-2025-4123 are affected in GrafanaEnterprise 11.4.4Windows
Vulnerabilities CVE-2025-4123 are affected in GrafanaEnterprise 11.5.3Windows
Vulnerabilities CVE-2025-4123 are affected in GrafanaEnterprise 11.5.4Windows
Vulnerabilities CVE-2025-4123 are affected in GrafanaEnterprise 11.6.0Windows
Vulnerabilities CVE-2025-4123 are affected in GrafanaEnterprise 11.6.1Windows
Vulnerabilities CVE-2025-4123 are affected in GrafanaEnterprise 12.0.0Windows
Grafana update (ELSA-2025-7894) grafana-9.2.10-23.el8_10.x86_64.rpmLinux
Grafana-selinux update (ELSA-2025-7894) grafana-selinux-9.2.10-23.el8_10.x86_64.rpmLinux
(RHSA-2025:7893)Important: security update grafana-selinux-10.2.6-13.el9_6.x86_64.rpmLinux
(RHSA-2025:7893)Important: security update grafana-10.2.6-13.el9_6.x86_64.rpmLinux
(RHSA-2025:7894)Important: security update grafana-selinux-9.2.10-23.el8_10.x86_64.rpmLinux
(RHSA-2025:7894)Important: security update grafana-9.2.10-23.el8_10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-sc-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-sd-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-se-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-sgs-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-shn-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-shs-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-si-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-sid-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-sk-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-sl-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-sm-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-so-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-sq-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-sr-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-ss-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-ssy-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-st-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-su-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-sv-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-sw-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-syr-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-szl-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-ta-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-tcy-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-te-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-tg-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-th-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-the-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-ti-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-tig-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-tk-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-tl-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-tn-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-to-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-tok-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-tpi-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-tr-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-ts-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-tt-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-ug-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-uk-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-unm-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-ur-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-uz-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0098) glibc-langpack-ve-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0100) glibc-langpack-vi-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0100) glibc-langpack-wa-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0100) glibc-langpack-wae-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0100) glibc-langpack-wal-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0100) glibc-langpack-wo-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0100) glibc-langpack-xh-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0100) glibc-langpack-yi-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0100) glibc-langpack-yo-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0100) glibc-langpack-yue-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0100) glibc-langpack-yuw-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0100) glibc-langpack-zgh-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0100) glibc-langpack-zh-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0100) glibc-langpack-zu-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0097) glibc-locale-source-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0100) glibc-minimal-langpack-2.39-38.el10.x86_64.rpmLinux
glibc update (CESAS-2025-0097) glibc-utils-2.39-38.el10.x86_64.rpmLinux
grafana update (CESAS-2025-0096) grafana-10.2.6-18.el10.x86_64.rpmLinux
grafana update (CESAS-2025-0096) grafana-selinux-10.2.6-18.el10.x86_64.rpmLinux
Grafana-selinux update (ELSA-2025-7893) grafana-selinux-10.2.6-13.el9_6.x86_64.rpmLinux
Grafana update (ELSA-2025-7893) grafana-10.2.6-13.el9_6.x86_64.rpmLinux
(RHSA-2025:7892)Important: security update grafana-selinux-10.2.6-17.el10_0.x86_64.rpmLinux
(RHSA-2025:7892)Important: security update grafana-10.2.6-17.el10_0.x86_64.rpmLinux
Important: grafana security update grafana-selinux-10.2.6-13.el9_6.x86_64.rpmLinux
Important: grafana security update grafana-10.2.6-13.el9_6.x86_64.rpmLinux
Important: grafana security update grafana-selinux-9.2.10-23.el8_10.x86_64.rpmLinux
Important: grafana security update grafana-9.2.10-23.el8_10.x86_64.rpmLinux
libwinpr update (CESAS-2025-0126) libwinpr-3.10.3-3.el10.x86_64.rpmLinux
grafana update (CESAS-2025-0125) grafana-selinux-10.2.6-20.el10.x86_64.rpmLinux
grafana update (CESAS-2025-0125) grafana-10.2.6-20.el10.x86_64.rpmLinux
freerdp update (CESAS-2025-0126) freerdp-libs-3.10.3-3.el10.x86_64.rpmLinux
freerdp update (CESAS-2025-0126) freerdp-3.10.3-3.el10.x86_64.rpmLinux
less update (CESAS-2025-0136) less-590-6.el9.x86_64.rpmLinux
jq update (CESAS-2025-0138) jq-1.6-19.el9.x86_64.rpmLinux
jq update (CESAS-2025-0138) jq-1.6-19.el9.i686.rpmLinux
iputils update (CESAS-2025-0133) iputils-ninfod-20210202-14.el9.x86_64.rpmLinux
iputils update (CESAS-2025-0138) iputils-20210202-14.el9.x86_64.rpmLinux
grafana update (CESAS-2025-0133) grafana-selinux-10.2.6-15.el9.x86_64.rpmLinux
grafana update (CESAS-2025-0133) grafana-10.2.6-15.el9.x86_64.rpmLinux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234