CVE-2025-4123 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-4123 Interim 1 13 2026-03-05T01:32:16Z current 2025-05-20T23:15:19Z 2026-03-05T01:32:16Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-4123 A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/suse-liberty-linux-updates/2025-June/001551.html E-Mail link for RHSA-2025:7893 https://lists.suse.com/pipermail/suse-liberty-linux-updates/2025-May/001149.html E-Mail link for RHSA-2025:7894 https://lists.suse.com/pipermail/sle-updates/2025-June/040353.html E-Mail link for SUSE-SU-2025:01985-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NUT27N46T3RCYUKKZDD2PQ3C7X7OURLR/ E-Mail link for openSUSE-SU-2025:15179-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Image SL-Micro Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE SUSE Liberty Linux 8 SUSE Liberty Linux 9 SUSE Linux Enterprise Server 16.0 SUSE Manager Server 4.3 SUSE Multi-Linux Manager Client Tools for SLE 12 SUSE Multi-Linux Manager Client Tools for SLE 15 openSUSE Tumbleweed gnutls-3.8.3-slfo.1.1_5.1 govulncheck-vulndb-0.0.20250527T204717-1.1 govulncheck-vulndb-0.0.20250814T182633-160000.1.2 grafana grafana-10.2.6-13.el9_6 grafana-11.6.1+security01-1.1 grafana-9.2.10-23.el8_10 grafana-selinux-10.2.6-13.el9_6 grafana-selinux-9.2.10-23.el8_10 libgnutls30-3.8.3-slfo.1.1_5.1 release-notes-susemanager-4.3.15.2-150400.3.133.1 gnutls-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Base libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Base-RT libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Base-RT-SelfInstall libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Base-RT-encrypted libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Base-SelfInstall libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Base-encrypted libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Base-qcow gnutls-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default gnutls-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default-SelfInstall libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default-SelfInstall gnutls-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default-encrypted libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default-encrypted gnutls-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default-qcow libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default-qcow libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro-Azure libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro-BYOS libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro-BYOS-Azure libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro-BYOS-EC2 libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro-BYOS-GCE libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro-EC2 libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro-GCE release-notes-susemanager-4.3.15.2-150400.3.133.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS release-notes-susemanager-4.3.15.2-150400.3.133.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure release-notes-susemanager-4.3.15.2-150400.3.133.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 release-notes-susemanager-4.3.15.2-150400.3.133.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE grafana-9.2.10-23.el8_10 as a component of SUSE Liberty Linux 8 grafana-selinux-9.2.10-23.el8_10 as a component of SUSE Liberty Linux 8 grafana-10.2.6-13.el9_6 as a component of SUSE Liberty Linux 9 grafana-selinux-10.2.6-13.el9_6 as a component of SUSE Liberty Linux 9 govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as a component of SUSE Linux Enterprise Server 16.0 release-notes-susemanager-4.3.15.2-150400.3.133.1 as a component of SUSE Manager Server 4.3 govulncheck-vulndb-0.0.20250527T204717-1.1 as a component of openSUSE Tumbleweed grafana-11.6.1+security01-1.1 as a component of openSUSE Tumbleweed grafana as a component of SUSE Multi-Linux Manager Client Tools for SLE 12 grafana as a component of SUSE Multi-Linux Manager Client Tools for SLE 15 A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive. CVE-2025-4123 Image SL-Micro:gnutls-3.8.3-slfo.1.1_5.1 Image SL-Micro:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base-RT:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base-RT-SelfInstall:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base-RT-encrypted:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base-SelfInstall:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base-VMware:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base-encrypted:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base-qcow:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default:gnutls-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-SelfInstall:gnutls-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-SelfInstall:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-VMware:gnutls-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-VMware:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-encrypted:gnutls-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-encrypted:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-qcow:gnutls-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-qcow:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro-Azure:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro-BYOS:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro-BYOS-Azure:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro-BYOS-EC2:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro-BYOS-GCE:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro-EC2:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro-GCE:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLES15-SP4-Manager-Server-4-3-BYOS:release-notes-susemanager-4.3.15.2-150400.3.133.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:release-notes-susemanager-4.3.15.2-150400.3.133.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:release-notes-susemanager-4.3.15.2-150400.3.133.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:release-notes-susemanager-4.3.15.2-150400.3.133.1 SUSE Liberty Linux 8:grafana-9.2.10-23.el8_10 SUSE Liberty Linux 8:grafana-selinux-9.2.10-23.el8_10 SUSE Liberty Linux 9:grafana-10.2.6-13.el9_6 SUSE Liberty Linux 9:grafana-selinux-10.2.6-13.el9_6 SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2 SUSE Manager Server 4.3:release-notes-susemanager-4.3.15.2-150400.3.133.1 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250527T204717-1.1 openSUSE Tumbleweed:grafana-11.6.1+security01-1.1 SUSE Multi-Linux Manager Client Tools for SLE 12:grafana SUSE Multi-Linux Manager Client Tools for SLE 15:grafana important 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L