Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
freebsdFreeBSD6A851DC0-CFD2-11EE-AC09-6C3BE5272ACD
HistoryNov 10, 2023 - 12:00 a.m.

Grafana -- Email verification is not required after email change

2023-11-1000:00:00
vuxml.freebsd.org
2
grafana
email verification
vulnerability
configuration option
cvss score

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Grafana Labs reports:

The vulnerability impacts instances where

  Grafana basic authentication is enabled.

Grafana has a

  verify_email_enabled configuration option. When this option is enabled,
  users are required to confirm their email addresses before the sign-up process
  is complete. However, the email is only checked at the time of the sign-up.
  No further verification is carried out if a user’s email address is updated
  after the initial sign-up. Moreover, Grafana allows using an email address
  as the user’s login name, and no verification is ever carried out for this email
  address.

This means that even if the

  verify_email_enabled configuration option is enabled, users can use
  unverified email addresses to log into Grafana if the email address
  has been changed after the sign up, or if an email address is set as the login
  name.

The CVSS score for this vulnerability is [5.4 Medium] (CVSS).

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchgrafana<Β 9.5.16UNKNOWN
FreeBSDanynoarchgrafana9<Β 9.5.16UNKNOWN
FreeBSDanynoarchgrafana10<Β 10.0.11UNKNOWN

Related

nessus 8
redhatcve 1
prion 1
cgr 1
osv 2
cvelist 1
wolfi 1
nvd 1
ubuntucve 1
cve 1
veracode 1
redos 1
github 1
openvas 1
nessus
nessus
FreeBSD : Grafana -- Email verification is not required after email change (6a851dc0-cfd2-11ee-ac09-6c3be5272acd)
2024-02-24 00:00:00
Grafana Labs Incorrect Authorization (CVE-2023-6152)
2024-02-16 00:00:00
SUSE SLES12 Security Update : SUSE Manager Client Tools (SUSE-SU-2024:1508-1)
2024-05-07 00:00:00
redhatcve
redhatcve
CVE-2023-6152
2024-05-23 19:55:02
prion
prion
Default configuration
2024-02-13 22:15:00
cgr
cgr
CVE-2023-6152 vulnerabilities
2024-05-19 03:07:16
osv
osv
BIT-grafana-2023-6152
2024-03-12 08:24:38
Email Validation Bypass And Preventing Sign Up From Email's Owner
2024-02-13 22:25:10
cvelist
cvelist
CVE-2023-6152
2024-02-13 21:38:01
wolfi
wolfi
CVE-2023-6152 vulnerabilities
2024-06-26 03:08:30
nvd
nvd
CVE-2023-6152
2024-02-13 22:15:45
ubuntucve
ubuntucve
CVE-2023-6152
2024-02-13 00:00:00
cve
cve
CVE-2023-6152
2024-02-13 22:15:45
veracode
veracode
Incorrect Authorization
2024-02-14 10:24:33
redos
redos
ROS-20240418-03
2024-04-18 00:00:00
github
github
Email Validation Bypass And Preventing Sign Up From Email's Owner
2024-02-13 22:25:10
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2024:1508-1)
2024-05-07 00:00:00

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON
Related for 6A851DC0-CFD2-11EE-AC09-6C3BE5272ACD
nessus8redhatcve1prion1cgr1osv2cvelist1wolfi1nvd1ubuntucve1cve1veracode1redos1github1openvas1