{"id":"CVE-2022-31097","summary":"Stored XSS in Grafana's Unified Alerting","details":"Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.","aliases":["BIT-grafana-2022-31097","GHSA-vw7q-p2qg-4m5f","GO-2024-2857"],"modified":"2026-04-11T12:39:56.787453Z","published":"2022-07-15T12:10:10Z","related":["SUSE-SU-2022:3676-1","SUSE-SU-2022:3747-1","SUSE-SU-2022:3751-1","SUSE-SU-2022:3765-1","SUSE-SU-2022:4428-1","SUSE-SU-2022:4437-1","SUSE-SU-2022:4439-1","SUSE-SU-2023:2575-1","SUSE-SU-2023:2578-1","SUSE-SU-2023:2579-1","SUSE-SU-2024:0191-1","SUSE-SU-2024:0196-1","openSUSE-SU-2024:12260-1"],"database_specific":{"cwe_ids":["CWE-79"],"unresolved_ranges":[{"extracted_events":[{"introduced":"9.0.0"},{"fixed":"9.0.3"},{"introduced":"8.5.0"},{"fixed":"8.5.9"},{"introduced":"8.4.0"},{"fixed":"8.4.10"},{"introduced":"8.0.0"},{"fixed":"8.3.10"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31097.json"},"references":[{"type":"WEB","url":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/"},{"type":"WEB","url":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/"},{"type":"WEB","url":"https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31097.json"},{"type":"ADVISORY","url":"https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31097"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220901-0010/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/grafana/grafana","events":[{"introduced":"41f0542c1ec16ce93b336a9f5cf6eef1aba898d0"},{"fixed":"1cf8d3e67c07450a04fe0a8513e6fbe21ae89ca6"},{"introduced":"e6728d143480cc05d6f91eb740f91836399b8e6a"},{"fixed":"0f5a1e53f03a0735e013e4f3fb7ec084865ef964"},{"introduced":"6134e3cf35a99c7dd3041b7ececb47cb7619ba9a"},{"fixed":"2955d0bc8acaa69edbc03c3efb5c1e4f1e9d84d9"},{"introduced":"b5c56f63710e09f37b8557ddd8b99ae3fc583169"},{"fixed":"023f9251a91743d2399fc32dcf5df8422759a8eb"}],"database_specific":{"extracted_events":[{"introduced":"8.0.0"},{"fixed":"8.3.10"},{"introduced":"8.4.0"},{"fixed":"8.4.10"},{"introduced":"8.5.0"},{"fixed":"8.5.9"},{"introduced":"9.0.0"},{"fixed":"9.0.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-31097.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"}]}