vulnerability
FreeBSD: VID-e6281d88-a7a7-11ed-8d6a-6c3be5272acd (CVE-2022-39324): Grafana -- Spoofing originalUrl of snapshots
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:H/Au:S/C:C/I:C/A:P) | Feb 9, 2023 | Feb 10, 2023 | Dec 10, 2025 |
Severity
7
CVSS
(AV:N/AC:H/Au:S/C:C/I:C/A:P)
Published
Feb 9, 2023
Added
Feb 10, 2023
Modified
Dec 10, 2025
Description
Grafana Labs reports: A third-party penetration test of Grafana found a vulnerability in the snapshot functionality. The value of the originalUrl parameter is automatically generated. The purpose of the presented originalUrl parameter is to provide a user who views the snapshot with the possibility to click on the Local Snapshot button in the Grafana web UI and be presented with the dashboard that the snapshot captured. The value of the originalUrl parameter can be arbitrarily chosen by a malicious user that creates the snapshot. (Note: This can be done by editing the query thanks to a web proxy like Burp.) We have assessed this vulnerability as having a CVSS score of 6.7 MEDIUM (CVSS:6.7/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L).
Solutions
freebsd-upgrade-package-grafanafreebsd-upgrade-package-grafana8freebsd-upgrade-package-grafana9
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.