x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q53q-gxq9-mgrj #3704

GoVulnBot · 2025-05-22T19:03:26Z

Advisory GHSA-q53q-gxq9-mgrj references a vulnerability in the following Go modules:

Module
github.com/grafana/grafana

Description:
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.

The default Content-Security-Policy (CSP) in Grafana will block the XSS though the connect-src directive.

References:

ADVISORY: GHSA-q53q-gxq9-mgrj
ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-4123
FIX: grafana/grafana@c7a6903
WEB: https://grafana.com/security/security-advisories/cve-2025-4123

Cross references:

github.com/grafana/grafana appears in 54 other report(s):
- data/excluded/GO-2022-0259.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-41244 #259) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0275.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43798 #275) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0276.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43813 #276) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0277.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43815 #277) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0296.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21673 #296) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0311.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21702 #311) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0312.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21703 #312) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0313.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21713 #313) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0753.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/api/avatar: GHSA-wc9w-wvq2-ffm9 #753) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0773.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-27358, GHSA-h5rh-w6vm-9ghc #773 #773) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0934.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-39226, GHSA-69j6-29vr-p3j9 #934) NOT_IMPORTABLE
- data/excluded/GO-2023-1599.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7rqg-hjwc-6mjf #1599) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1603.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hjv9-hm2f-rpcj #1603) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1604.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-xw5p-hw8j-xg4q #1604) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1673.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3cgw-hfw7-wc7j #1673) NOT_A_VULNERABILITY
- data/excluded/GO-2023-1674.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-qrrg-gw7w-vp76 #1674) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1680.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7phr-6cc9-4m5q #1680) NOT_GO_CODE
- data/excluded/GO-2023-1843.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wm7r-3qxj-5xgq #1843) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1844.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x2w4-c67p-g44j #1844) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1856.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-cvm3-pp2j-chr3 #1856) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1875.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mpv3-g8m3-3fjc #1875) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1964.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x5fh-fvvr-892f #1964) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2120.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-fw9c-75hh-89p6 #2120) EFFECTIVELY_PRIVATE
- data/excluded/GO-2024-2551.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3hv4-r2fm-h27f #2551) EFFECTIVELY_PRIVATE
- data/reports/GO-2022-0342.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2018-18623 #342)
- data/reports/GO-2022-0707.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/api: GHSA-rgjg-66cx-5x9m #707)
- data/reports/GO-2024-2483.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-6wh2-8hw7-jw94 #2483)
- data/reports/GO-2024-2510.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-v5gq-qvjq-8p53 #2510)
- data/reports/GO-2024-2513.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3jq7-8ph8-63xm #2513)
- data/reports/GO-2024-2515.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7m2x-qhrq-rp8h #2515)
- data/reports/GO-2024-2516.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-9hv8-4frf-cprf #2516)
- data/reports/GO-2024-2517.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-ccmg-w4xm-p28v #2517)
- data/reports/GO-2024-2519.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-m25m-5778-fm22 #2519)
- data/reports/GO-2024-2520.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mvpr-q6rh-8vrp #2520)
- data/reports/GO-2024-2523.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-xr3x-62qw-vc4w #2523)
- data/reports/GO-2024-2629.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-5mxf-42f5-j782 #2629)
- data/reports/GO-2024-2661.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/tsdb/mysql: GHSA-4pwp-cx67-5cpx #2661)
- data/reports/GO-2024-2697.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-67rv-qpw2-6qrr #2697)
- data/reports/GO-2024-2843.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-2x6g-h2hg-rq84 #2843)
- data/reports/GO-2024-2844.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3p62-42x7-gxg5 #2844)
- data/reports/GO-2024-2847.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-ff5c-938w-8c9q #2847)
- data/reports/GO-2024-2848.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-gj7m-853r-289r #2848)
- data/reports/GO-2024-2851.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-jv32-5578-pxjc #2851)
- data/reports/GO-2024-2852.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mx47-6497-3fv2 #2852)
- data/reports/GO-2024-2854.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-p978-56hq-r492 #2854)
- data/reports/GO-2024-2855.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-rhxj-gh46-jvw8 #2855)
- data/reports/GO-2024-2856.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-vqc4-mpj8-jxch #2856)
- data/reports/GO-2024-2857.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-vw7q-p2qg-4m5f #2857)
- data/reports/GO-2024-2858.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x744-mm8v-vpgr #2858)
- data/reports/GO-2024-2867.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-4724-7jwc-3fpw #2867)
- data/reports/GO-2024-3079.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hh8p-374f-qgr5 #3079)
- data/reports/GO-2024-3215.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q99m-qcv4-fpm7 #3215)
- data/reports/GO-2024-3240.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-66c4-2g2v-54qw #3240)
- data/reports/GO-2025-3438.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wxcc-2f3q-4h58 #3438)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/grafana/grafana
      non_go_versions:
        - fixed: 0.0.0-20250521183405-c7a690348df7
      vulnerable_at: 5.4.5+incompatible
summary: Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin in github.com/grafana/grafana
cves:
    - CVE-2025-4123
ghsas:
    - GHSA-q53q-gxq9-mgrj
references:
    - advisory: https://github.com/advisories/GHSA-q53q-gxq9-mgrj
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-4123
    - fix: https://github.com/grafana/grafana/commit/c7a690348df761d41b659224cbc50a46a0c0e4cc
    - web: https://grafana.com/security/security-advisories/cve-2025-4123
source:
    id: GHSA-q53q-gxq9-mgrj
    created: 2025-05-22T19:03:26.491496068Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2025-05-23T16:10:54Z

Change https://go.dev/cl/675876 mentions this issue: data/reports: add 4 reports

GoVulnBot added the NeedsTriage label May 22, 2025

thatnealpatel added triaged and removed NeedsTriage labels May 23, 2025

thatnealpatel self-assigned this May 23, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q53q-gxq9-mgrj #3704

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q53q-gxq9-mgrj #3704

GoVulnBot commented May 22, 2025

gopherbot commented May 23, 2025

Uh oh!

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q53q-gxq9-mgrj #3704

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q53q-gxq9-mgrj #3704

Comments

GoVulnBot commented May 22, 2025

gopherbot commented May 23, 2025

Uh oh!