Grafana 8.2.3 released with medium severity security fix: CVE-2021-41174 Grafana XSS

Grafana 8.2.3 has been released to address a medium severity XSS vulnerability identified as CVE-2021-41174, which affects all versions from 8.0.0-beta1 to 8.2.2. This vulnerability allows an attacker to execute arbitrary JavaScript within the victim's browser if they visit a crafted URL to a vulnerable page. Grafana Cloud instances have already been patched, and Enterprise customers received updated binaries. The vulnerability primarily impacts unauthenticated pages with AngularJS rendering that can be exploited through specific URL manipulations. Affected pages include certain snapshot and invite URLs, and mitigations involve updating to the latest patch or using a reverse proxy to block suspicious URL patterns. The issue was initially reported on October 21, 2021, and a series of actions were taken to mitigate the risk, including disabling anonymous access on Grafana Cloud and deploying workarounds. No evidence of exploitation was found during the audit of Grafana Cloud, and public disclosure of the fix was made on November 3, 2021. Users are encouraged to report any security vulnerabilities to [email protected] and subscribe to security updates via Grafana's blog and RSS feed.