Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-6197

Summary
Assigner-GRAFANA
Assigner Org ID-57da9224-a3e2-4646-9d0e-c4dc2e05e7da
Published At-18 Jul, 2025 | 07:48
Updated At-18 Jul, 2025 | 13:46
Rejected At-
Credits

An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GRAFANA
Assigner Org ID:57da9224-a3e2-4646-9d0e-c4dc2e05e7da
Published At:18 Jul, 2025 | 07:48
Updated At:18 Jul, 2025 | 13:46
Rejected At:
▼CVE Numbering Authority (CNA)

An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL

Affected Products
Vendor
Grafana LabsGrafana
Product
Grafana
Default Status
unaffected
Versions
Affected
  • From 12.0.x before 12.0.2+security-01 (semver)
  • From 11.6.x before 11.6.3+security-01 (semver)
  • From 11.5.x before 11.5.6+security-01 (semver)
  • From 11.4.x before 11.4.6+security-01 (semver)
  • From 11.3.x before 11.3.8+security-01 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-601CWE-601
Type: CWE
CWE ID: CWE-601
Description: CWE-601
Metrics
VersionBase scoreBase severityVector
3.14.2MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Version: 3.1
Base score: 4.2
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-194CAPEC-194
CAPEC ID: CAPEC-194
Description: CAPEC-194
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Dat Phung
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://grafana.com/security/security-advisories/cve-2025-6197/
vendor-advisory
https://grafana.com/blog/2025/07/17/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-6197-and-cve-2025-6023/
mitigation
release-notes
Hyperlink: https://grafana.com/security/security-advisories/cve-2025-6197/
Resource:
vendor-advisory
Hyperlink: https://grafana.com/blog/2025/07/17/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-6197-and-cve-2025-6023/
Resource:
mitigation
release-notes
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@grafana.com
Published At:18 Jul, 2025 | 08:15
Updated At:22 Jul, 2025 | 13:06

An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.2MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.2
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-601Secondarysecurity@grafana.com
CWE ID: CWE-601
Type: Secondary
Source: security@grafana.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://grafana.com/blog/2025/07/17/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-6197-and-cve-2025-6023/security@grafana.com
N/A
https://grafana.com/security/security-advisories/cve-2025-6197/security@grafana.com
N/A
Hyperlink: https://grafana.com/blog/2025/07/17/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-6197-and-cve-2025-6023/
Source: security@grafana.com
Resource: N/A
Hyperlink: https://grafana.com/security/security-advisories/cve-2025-6197/
Source: security@grafana.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2025-6023
Matching Score-6
Assigner-Grafana Labs
ShareView Details
Matching Score-6
Assigner-Grafana Labs
CVSS Score-7.6||HIGH
EPSS-1.83% / 82.15%
||
7 Day CHG~0.00%
Published-18 Jul, 2025 | 07:48
Updated-22 Jul, 2025 | 13:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01

Action-Not Available
Vendor-Grafana Labs
Product-Grafana
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-4123
Matching Score-6
Assigner-Grafana Labs
ShareView Details
Matching Score-6
Assigner-Grafana Labs
CVSS Score-7.6||HIGH
EPSS-5.16% / 89.50%
||
7 Day CHG~0.00%
Published-22 May, 2025 | 07:44
Updated-15 Aug, 2025 | 19:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.

Action-Not Available
Vendor-Grafana Labs
Product-grafanaGrafana
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-57821
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.2||MEDIUM
EPSS-Not Assigned
Published-27 Aug, 2025 | 16:32
Updated-27 Aug, 2025 | 18:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Basecamp's Google Sign-In for Rails allowed redirects to a malformed URL

Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.0, it is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin. Rails applications configured to store the flash information in a session cookie may be vulnerable, if this can be chained with an attack that allows injection of arbitrary data into the session cookie. This issue has been patched in version 1.3.0. If upgrading is not possible at this time, a way to mitigate the chained attack can be done by explicitly setting SameSite=Lax or SameSite=Strict on the application session cookie.

Action-Not Available
Vendor-basecamp
Product-google_sign_in
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
Details not found