Description
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
Remediation
References
Related Vulnerabilities
WordPress Plugin Booking calendar, Appointment Booking System Multiple Vulnerabilities (2.1.7)
WordPress Plugin Passster-Password Protection Weak Encoding (3.5.5.5.1)
WordPress Plugin WP Job Manager Unspecified Vulnerability (1.32.2)
WordPress Plugin Images to WebP Multiple Vulnerabilities (1.8)
Oracle Database Server CVE-2010-0892 Vulnerability (CVE-2010-0892)