Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-10452

Summary
Assigner-GRAFANA
Assigner Org ID-57da9224-a3e2-4646-9d0e-c4dc2e05e7da
Published At-29 Oct, 2024 | 15:16
Updated At-29 Oct, 2024 | 15:35
Rejected At-
Credits

Organization admins can delete pending invites created in an organization they are not part of.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GRAFANA
Assigner Org ID:57da9224-a3e2-4646-9d0e-c4dc2e05e7da
Published At:29 Oct, 2024 | 15:16
Updated At:29 Oct, 2024 | 15:35
Rejected At:
▼CVE Numbering Authority (CNA)

Organization admins can delete pending invites created in an organization they are not part of.

Affected Products
Vendor
Grafana LabsGrafana
Product
Grafana
Default Status
unaffected
Versions
Affected
  • 10.4.0
Problem Types
TypeCWE IDDescription
CWECWE-639CWE-639 Authorization Bypass Through User-Controlled Key
Type: CWE
CWE ID: CWE-639
Description: CWE-639 Authorization Bypass Through User-Controlled Key
Metrics
VersionBase scoreBase severityVector
3.12.2LOW
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 2.2
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-109CAPEC-109 Object Relational Mapping Injection
CAPEC ID: CAPEC-109
Description: CAPEC-109 Object Relational Mapping Injection
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://grafana.com/security/security-advisories/cve-2024-10452
N/A
Hyperlink: https://grafana.com/security/security-advisories/cve-2024-10452
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@grafana.com
Published At:29 Oct, 2024 | 16:15
Updated At:08 Nov, 2024 | 17:59

Organization admins can delete pending invites created in an organization they are not part of.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.12.7LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Secondary3.12.2LOW
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 2.7
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 2.2
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
CPE Matches

Grafana Labs
grafana
>>grafana>>10.4.0
cpe:2.3:a:grafana:grafana:10.4.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-639Primarynvd@nist.gov
CWE-639Secondarysecurity@grafana.com
CWE ID: CWE-639
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-639
Type: Secondary
Source: security@grafana.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://grafana.com/security/security-advisories/cve-2024-10452security@grafana.com
Vendor Advisory
Hyperlink: https://grafana.com/security/security-advisories/cve-2024-10452
Source: security@grafana.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

12Records found

CVE-2022-21713
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-1.19% / 64.04%
||
7 Day CHG~0.00%
Published-08 Feb, 2022 | 20:50
Updated-23 Apr, 2025 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposure of Sensitive Information in Grafana

Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Action-Not Available
Vendor-Fedora ProjectNetApp, Inc.Grafana Labs
Product-e-series_performance_analyzergrafanafedoragrafana
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-1313
Matching Score-6
Assigner-Grafana Labs
ShareView Details
Matching Score-6
Assigner-Grafana Labs
CVSS Score-6.5||MEDIUM
EPSS-0.65% / 46.46%
||
7 Day CHG~0.00%
Published-26 Mar, 2024 | 17:24
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Users outside an organization can delete a snapshot with its key

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.

Action-Not Available
Vendor-Grafana Labs
Product-Grafana
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-21721
Matching Score-6
Assigner-Grafana Labs
ShareView Details
Matching Score-6
Assigner-Grafana Labs
CVSS Score-8.1||HIGH
EPSS-0.65% / 46.54%
||
7 Day CHG+0.26%
Published-27 Jan, 2026 | 09:07
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

Action-Not Available
Vendor-Red Hat, Inc.Grafana Labs
Product-grafanagrafana/grafanagrafana/grafana-enterpriseMulticluster Global HubRed Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Ceph Storage 5Red Hat Ceph Storage 8Red Hat Advanced Cluster Management for Kubernetes 2.13Red Hat Ceph Storage 6Red Hat Advanced Cluster Management for Kubernetes 2.12Red Hat Enterprise Linux 8Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux AppStream (v. 10)
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-6570
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.30% / 21.79%
||
7 Day CHG~0.00%
Published-19 Apr, 2026 | 11:00
Updated-22 Apr, 2026 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
kodcloud KodExplorer systemMember.class.php initInstall authorization

A security flaw has been discovered in kodcloud KodExplorer up to 4.52. Affected is the function initInstall of the file /app/controller/systemMember.class.php. Performing a manipulation of the argument path results in authorization bypass. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-kodcloud
Product-KodExplorer
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-30507
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-2.7||LOW
EPSS-0.44% / 35.04%
||
7 Day CHG~0.00%
Published-29 Mar, 2024 | 14:15
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Molongui Authorship plugin <= 4.7.7 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Molongui.This issue affects Molongui: from n/a through 4.7.7.

Action-Not Available
Vendor-Molongui
Product-Molongui
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2023-41368
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-2.7||LOW
EPSS-0.37% / 28.73%
||
7 Day CHG~0.00%
Published-12 Sep, 2023 | 01:59
Updated-26 Sep, 2024 | 16:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Direct Object Reference (IDOR) vulnerability in S4 HANA (Manage checkbook apps)

The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.

Action-Not Available
Vendor-SAP SE
Product-s\/4_hanaS4 HANA ABAP (Manage checkbook apps)
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-39510
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-2.7||LOW
EPSS-0.20% / 10.43%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Image Photo Gallery Final Tiles Grid plugin <= 3.6.11 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through <= 3.6.11.

Action-Not Available
Vendor-WP Chill
Product-Image Photo Gallery Final Tiles Grid
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-3307
Matching Score-4
Assigner-GitHub, Inc. (Products Only)
ShareView Details
Matching Score-4
Assigner-GitHub, Inc. (Products Only)
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 18.64%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 22:23
Updated-29 Apr, 2026 | 12:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization bypass in GitHub Enterprise Server secret scanning push protection allows cross-repository modification of delegated bypass reviewers

An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers; it does not allow adding arbitrary external users. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.

Action-Not Available
Vendor-GitHub, Inc.
Product-enterprise_serverEnterprise Server
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-25120
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.27% / 18.77%
||
7 Day CHG~0.00%
Published-19 Feb, 2026 | 01:59
Updated-19 Feb, 2026 | 19:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gogs Allows Cross-Repository Comment Deletion via DeleteComment

Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypassing authorization controls. The DeleteComment function retrieves a comment by ID without verifying repository ownership and the Database function DeleteCommentByID performs no repository validation. This issue has been fixed in version 0.14.0.

Action-Not Available
Vendor-gogsgogs
Product-gogsgogs
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2021-36906
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-2.7||LOW
EPSS-0.53% / 40.63%
||
7 Day CHG~0.00%
Published-03 Nov, 2022 | 19:33
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Quiz And Survey Master plugin <= 7.3.6 - Multiple Insecure direct object references (IDOR) vulnerabilities

Multiple Insecure Direct Object References (IDOR) vulnerabilities in ExpressTech Quiz And Survey Master plugin <= 7.3.6 on WordPress.

Action-Not Available
Vendor-expresstechExpressTech
Product-quiz_and_survey_masterQuiz And Survey Master (WordPress plugin)
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-12102
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-2.7||LOW
EPSS-0.28% / 19.79%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 06:50
Updated-18 Jun, 2026 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UsersWP <= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset via 'user_id' Parameter

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table.

Action-Not Available
Vendor-stiofansisland
Product-UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-11578
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-2.7||LOW
EPSS-0.17% / 6.47%
||
7 Day CHG~0.00%
Published-02 Jul, 2026 | 06:00
Updated-02 Jul, 2026 | 15:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fluent Forms < 6.2.5 - Form Manager+ Cross-Form Submission Entry Deletion via IDOR

The Fluent Forms WordPress plugin before 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized to manage, allowing a Manager limited to specific forms to permanently delete submission entries belonging to other forms. This requires a non-default configuration in which an administrator has created at least one Manager restricted to specific forms.

Action-Not Available
Vendor-Unknown
Product-Fluent Forms
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
Details not found