Description

Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.

Remediation

References

CVE-2018-15727

Related Vulnerabilities

MongoDb Improper Check for Unusual or Exceptional Conditions Vulnerability (CVE-2019-20924)

WordPress Plugin Remove Schema Cross-Site Request Forgery (1.4)

WordPress Plugin MStore API-Create Native Android & iOS Apps On The Cloud SQL Injection (4.10.8)

MySQL CVE-2016-3471 Vulnerability (CVE-2016-3471)

WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2011-0700)

Severity

Critical

Classification

CVE-2018-15727 CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities