CVE-2025-58746

CRITICAL9.1

Volkov Labs Business Links plugin vulnerable to privilege escalation attack

Published Sep 8, 2025

Modified 4 months ago

No fix available

Details

The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Prior to version 2.4.0, a malicious actor with Editor privileges can escalate their privileges to Administrator and perform arbitrary administrative actions. This is possible because the plugin allows arbitrary JavaScript code injection in the [Layout] → [Link] → [URL] field. Version 2.4.0 contains a fix for the issue.

References

WEBhttps://github.com/VolkovLabs/business-links/commit/9d203a6950de7860e11b25e4265ed8fe60082d7d DETECTIONhttps://github.com/VolkovLabs/business-links/security/advisories/GHSA-93qj-gv4p-mf53 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2025-58746

CVSS Analysis

CVSS v3.1

9.1

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

LowPR:L

User Interaction

RequiredUI:R

Scope

ChangedS:C

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

9.1/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Weakness Type (CWE)

Injection

CWE-79

Cross-site Scripting (XSS)

Other

CWE-83

Ecosystems

Timeline

PublishedSep 8, 2025

ModifiedSep 9, 2025