grafana-11.6.1+security01-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16233 Final 1 1 2025-05-27T00:00:00Z current 2025-05-27T00:00:00Z 2025-05-27T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z grafana-11.6.1+security01-1.1 on GA media These are all security issues fixed in the grafana-11.6.1+security01-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16233 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-22872/ SUSE CVE CVE-2025-22872 page https://www.suse.com/security/cve/CVE-2025-3580/ SUSE CVE CVE-2025-3580 page https://www.suse.com/security/cve/CVE-2025-4123/ SUSE CVE CVE-2025-4123 page openSUSE Tumbleweed grafana-11.6.1+security01-1.1 grafana-11.6.1+security01-1.1 as a component of openSUSE Tumbleweed The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts). CVE-2025-22872 openSUSE Tumbleweed:grafana-11.6.1+security01-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-22872.html CVE-2025-22872 https://bugzilla.suse.com/1241710 SUSE Bug 1241710 An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance. CVE-2025-3580 openSUSE Tumbleweed:grafana-11.6.1+security01-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-3580.html CVE-2025-3580 https://bugzilla.suse.com/1243672 SUSE Bug 1243672 A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive. CVE-2025-4123 openSUSE Tumbleweed:grafana-11.6.1+security01-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-4123.html CVE-2025-4123 https://bugzilla.suse.com/1243714 SUSE Bug 1243714