FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-09 08:42:40 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
6a851dc0-cfd2-11ee-ac09-6c3be5272acd	Grafana -- Email verification is not required after email change Grafana Labs reports: The vulnerability impacts instances where Grafana basic authentication is enabled. Grafana has a verify_email_enabled configuration option. When this option is enabled, users are required to confirm their email addresses before the sign-up process is complete. However, the email is only checked at the time of the sign-up. No further verification is carried out if a userÃ¢ÂÂs email address is updated after the initial sign-up. Moreover, Grafana allows using an email address as the userÃ¢ÂÂs login name, and no verification is ever carried out for this email address. This means that even if the verify_email_enabled configuration option is enabled, users can use unverified email addresses to log into Grafana if the email address has been changed after the sign up, or if an email address is set as the login name. The CVSS score for this vulnerability is [5.4 Medium] (CVSS). Discovery 2023-11-10 Entry 2024-02-20 grafana < 9.5.16 ge 10.0.0 lt 10.0.11 ge 10.1.0 lt 10.1.7 ge 10.2.0 lt 10.2.4 ge 10.3.0 lt 10.3.3 grafana9 < 9.5.16 grafana10 < 10.0.11 ge 10.1.0 lt 10.1.7 ge 10.2.0 lt 10.2.4 ge 10.3.0 lt 10.3.3 CVE-2023-6152 https://grafana.com/security/security-advisories/cve-2023-6152/

VuXML ID

Description

6a851dc0-cfd2-11ee-ac09-6c3be5272acd

Grafana -- Email verification is not required after email change

Grafana Labs reports:

The vulnerability impacts instances where Grafana basic authentication is enabled.

Grafana has a verify_email_enabled configuration option. When this option is enabled, users are required to confirm their email addresses before the sign-up process is complete. However, the email is only checked at the time of the sign-up. No further verification is carried out if a userÃ¢ÂÂs email address is updated after the initial sign-up. Moreover, Grafana allows using an email address as the userÃ¢ÂÂs login name, and no verification is ever carried out for this email address.

This means that even if the verify_email_enabled configuration option is enabled, users can use unverified email addresses to log into Grafana if the email address has been changed after the sign up, or if an email address is set as the login name.

The CVSS score for this vulnerability is [5.4 Medium] (CVSS).

Discovery 2023-11-10
Entry 2024-02-20
grafana

< 9.5.16

ge 10.0.0 lt 10.0.11

ge 10.1.0 lt 10.1.7

ge 10.2.0 lt 10.2.4

ge 10.3.0 lt 10.3.3

grafana9

< 9.5.16

grafana10

< 10.0.11

ge 10.1.0 lt 10.1.7

ge 10.2.0 lt 10.2.4

ge 10.3.0 lt 10.3.3

CVE-2023-6152
https://grafana.com/security/security-advisories/cve-2023-6152/