CVE-2025-6023

Aliases:GHSA-vqph-p5vc-g644BIT-grafana-2025-6023GO-2025-3817

Advisory lineage Upstream: 0 Downstream: 8

Downstream

OPENSUSE-SU-2025:15372-1 OPENSUSE-SU-2025:15405-1 SUSE-SU-2025:3817-1 SUSE-SU-2025:3819-1 SUSE-SU-2025:4457-1 SUSE-SU-2025:4458-1

Deferred

Published: 18 Jul 2025, 07:48

Last modified:18 Jul 2025, 13:46

Vulnerability Summary

Overall Risk (default)

medium

32/100

CVSS Score

7.6 HIGH

v3.1 (cve.org)

EPSS Score

7.09% LOW

7% probability +3.37%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

18 Jul 2025, 07:48

Published

Vulnerability first disclosed

18 Jul 2025, 13:46

Last Modified

Vulnerability information updated

Description

An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01

CVSS Metrics

v3.1•HIGH•Score: 7.6CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

EPSS Trends

Current EPSS score: 7.09%• Percentile: 92%

Techniques & Countermeasures

CWE-79•Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-601•URL Redirection to Untrusted Site ('Open Redirect')
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Affected Systems

github.com/grafana•grafana
< 1.9.2-0.20250521205822-0ba0b99665a9 | all
grafana•grafana
≥ 12.0.x, < 12.0.2+security-01 | ≥ 11.6.x, < 11.6.3+security-01 | ≥ 11.5.x, < 11.5.6+security-01 | ≥ 11.4.x, < 11.4.6+security-01 | ≥ 11.3.x, < 11.3.8+security-01