{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-2703", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2025-03-24T07:33:46.939Z", "datePublished": "2025-04-23T11:36:02.852Z", "dateUpdated": "2025-06-10T10:53:48.851Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Grafana", "vendor": "Grafana", "versions": [{"lessThan": "11.6.0+security-01", "status": "affected", "version": "11.6.0", "versionType": "semver"}, {"lessThan": "11.5.3+security-01", "status": "affected", "version": "11.5.0", "versionType": "semver"}, {"lessThan": "11.4.3+security-01", "status": "affected", "version": "11.4.0", "versionType": "semver"}, {"lessThan": "11.3.5+security-01", "status": "affected", "version": "11.3.0", "versionType": "semver"}, {"lessThan": "11.2.8+security-01", "status": "affected", "version": "11.2.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Grafana Enterprise", "vendor": "Grafana", "versions": [{"lessThan": "11.6.0+security-01", "status": "affected", "version": "11.6.0", "versionType": "semver"}, {"lessThan": "11.5.3+security-01", "status": "affected", "version": "11.5.0", "versionType": "semver"}, {"lessThan": "11.4.3+security-01", "status": "affected", "version": "11.4.0", "versionType": "semver"}, {"lessThan": "11.3.5+security-01", "status": "affected", "version": "11.3.0", "versionType": "semver"}, {"lessThan": "11.2.8+security-01", "status": "affected", "version": "11.2.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Paul Gerste (Sonar)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. </p><p>A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.</p>"}], "value": "The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. \n\nA user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2025-06-10T10:53:48.851Z"}, "references": [{"url": "https://grafana.com/security/security-advisories/cve-2025-2703"}, {"url": "https://www.sonarsource.com/blog/data-in-danger-detecting-xss-in-grafana-cve-2025-2703/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T14:20:27.622977Z", "id": "CVE-2025-2703", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T14:20:51.418Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2703", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T14:20:27.622977Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T14:20:45.526Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Paul Gerste (Sonar)"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Grafana", "product": "Grafana", "versions": [{"status": "affected", "version": "11.6.0", "lessThan": "11.6.0+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.5.0", "lessThan": "11.5.3+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.4.0", "lessThan": "11.4.3+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.3.0", "lessThan": "11.3.5+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.2.0", "lessThan": "11.2.8+security-01", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Grafana", "product": "Grafana Enterprise", "versions": [{"status": "affected", "version": "11.6.0", "lessThan": "11.6.0+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.5.0", "lessThan": "11.5.3+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.4.0", "lessThan": "11.4.3+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.3.0", "lessThan": "11.3.5+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.2.0", "lessThan": "11.2.8+security-01", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2025-2703"}, {"url": "https://www.sonarsource.com/blog/data-in-danger-detecting-xss-in-grafana-cve-2025-2703/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. \n\nA user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.", "supportingMedia": [{"type": "text/html", "value": "<p>The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. </p><p>A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2025-06-10T10:53:48.851Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2703", "state": "PUBLISHED", "dateUpdated": "2025-06-10T10:53:48.851Z", "dateReserved": "2025-03-24T07:33:46.939Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2025-04-23T11:36:02.852Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. \n\nA user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript."}, {"lang": "es", "value": "El complemento built-in XY Chart es afectado por una vulnerabilidad XSS de DOM. Un usuario con permisos de editor puede modificar dicho panel para que ejecute JavaScript arbitrario."}], "id": "CVE-2025-2703", "lastModified": "2025-06-10T11:15:52.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 4.7, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2025-04-23T12:15:16.103", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2025-2703"}, {"source": "security@grafana.com", "url": "https://www.sonarsource.com/blog/data-in-danger-detecting-xss-in-grafana-cve-2025-2703/"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@grafana.com", "type": "Secondary"}]}

{"bugzilla": {"description": "grafana: Cross-Site Scripting in Grafana XY Chart Panel", "id": "2358582", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358582"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. \nA user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.", "A DOM-based Cross-site scripting vulnerability exists in Grafana's built-in XY Chart plugin. This flaw allows an attacker with editor-level privileges to inject and execute arbitrary JavaScript code by editing an XY Chart Panel. The vulnerability bypasses the Content Security Policy, allowing the script to execute when the chart is rendered."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-2703", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-23T09:56:18Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-2703\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-2703"], "statement": "This vulnerability is classified as a Moderate severity due to the ability of authenticated users with Editor permissions to inject arbitrary JavaScript into XY Chart panels. When the panel is rendered, the payload executes in the user's browser context, bypassing existing Content Security Policy (CSP) protections. This allows for potential session hijacking or data exfiltration. While the exploit requires some user privileges and interaction, the security boundary between trusted editors and secure rendering is violated.\nIt is important to note that this issue affects Grafana versions 11.1.0 and later, which are not included in any Red Hat supported builds. Therefore, Red Hat customers are not impacted by this vulnerability.", "threat_severity": "Moderate"}