Description

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.

INFO

Published Date :

2025-05-22T07:44:09.491Z

Last Modified :

2025-07-22T14:11:46.732Z

Source :

GRAFANA
AFFECTED PRODUCTS

The following products are affected by CVE-2025-4123 vulnerability.

Vendors Products
Grafana
  • Grafana
Redhat
  • Enterprise Linux
  • Rhel Aus
  • Rhel E4s
  • Rhel Eus
  • Rhel Tus
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-4123.

URL Resource
https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/ cve-icon cve-icon
https://grafana.com/grafana/plugins/instana-datasource/?tab=changelog cve-icon
https://grafana.com/security/security-advisories/cve-2025-4123/ cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-4123 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-4123 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact