CVE-2025-4123
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
Summary
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.
The default Content-Security-Policy (CSP) in Grafana will block the XSS though the connect-src directive.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Grafana | Grafana | 10.4.18+security-01 < 10.4.19 | affected |
| Grafana | Grafana | 11.2.9+security-01 < 11.2.10 | affected |
| Grafana | Grafana | 11.3.6+security-01 < 11.3.7 | affected |
| Grafana | Grafana | 11.4.4+security-01 < 11.4.5 | affected |
| Grafana | Grafana | 11.5.4+security-01 < 11.5.5 | affected |
| Grafana | Grafana | 11.6.1+security-01 < 11.6.2 | affected |
| Grafana | Grafana | 12.0.0+security-01 < 12.0.1 | affected |
Weaknesses
- CWE-79: CWE-79
- CWE-601: CWE-601
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
- https://grafana.com/security/security-advisories/cve-2025-4123/
- https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.