Email verification is not required after email change
Medium
| Advisory ID: | CVE-2023-6152 |
| Published: | 2024-02-13 |
| Product: | Grafana |
| CVSS Score: | 5.4 |
| CVSS Vector: | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
| Fixed Versions: | >=10.3.3 >=10.2.4 >=10.1.7 >=10.0.11 >=9.5.16 |
Summary
Grafana is an open-source platform for monitoring and observability. A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option “verify_email_enabled” will only validate email only on sign up.
This issue has been patched in versions 10.3.3, 10.2.4, 10.1.7, 10.0.11 and 9.5.16.