Description
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.
Remediation
References
Related Vulnerabilities
Drupal Core 4.7.x HTTP Response Splitting (4.7.0 - 4.7.7)
WordPress Plugin Filedownload 'download.php' Local File Disclosure (0.1)
WordPress Plugin smart Archive Page Remove Unspecified Vulnerability (3)
WordPress Plugin WordPress Alipay/Tenpay/PayPal SQL Injection (3.7.2)
Oracle Application Server CVE-2007-0280 Vulnerability (CVE-2007-0280)