GHSA-3hv4-r2fm-h27f, CVE-2023-6152
go/github.com/grafana/grafana
Incorrect Authorization
A user changing their email after signing up and verifying it can change it without verification in profile settings.
The configuration option "verifyemailenabled" will only validate email only on sign up.
All versions starting from 2.5.0 before 9.5.16, all versions starting from 10.0.0 before 10.0.11, all versions starting from 10.1.0 before 10.1.7, all versions starting from 10.2.0 before 10.2.4, all versions starting from 10.3.0 before 10.3.3
Upgrade to versions 9.5.16, 10.0.11, 10.1.7, 10.2.4, 10.3.3 or above.
2024-02-14
source |