A high-severity vulnerability has been identified in the permissions API of multiple dashboard products. This flaw allows an authenticated user to potentially view or modify permissions for dashboards they should not have access to, leading to privilege escalation and unauthorized access to sensitive information. Immediate patching is required to prevent potential data breaches and misuse of system resources.

This vulnerability is an Improper Access Control issue within the dashboard permissions API. The API endpoint responsible for managing dashboard permissions correctly verifies that a user has rights to access the dashboard system in general, but it fails to validate if the user has specific rights over the target dashboard whose permissions are being queried or modified. Consequently, an authenticated attacker with low-level permissions on any single dashboard could potentially craft a request to the API to view or grant themselves elevated permissions on other, more sensitive dashboards within the same environment.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could lead to significant business consequences, including unauthorized access to and exfiltration of sensitive corporate data, financial reports, customer information, or other proprietary metrics displayed on the dashboards. An attacker could escalate their privileges, gaining administrative control over dashboards, which could be used to manipulate data, disrupt business intelligence operations, or pivot to other systems. This poses a direct risk of data breach, regulatory non-compliance (e.g., GDPR, CCPA), financial loss, and reputational damage.

Immediate Action: Apply the security updates provided by the vendor across all affected products immediately. After patching, it is critical to review all dashboard permission configurations and audit access logs for any unauthorized or suspicious permission changes that may have occurred prior to the patch deployment.

Proactive Monitoring: Implement enhanced logging and monitoring for the dashboard permissions API. Security teams should look for patterns of unusual activity, such as a high volume of requests to the permissions endpoint from a single user, or attempts by non-administrative users to modify permissions for high-value dashboards. Alert on any successful permission change that was not associated with a corresponding authorized change request ticket.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Use a Web Application Firewall (WAF) to create rules that restrict access to the permissions API endpoint to only known administrative users or IP addresses.
• Temporarily disable self-service permission management features for non-administrative users if the application allows.
• Conduct a full audit of all user roles and dashboard permissions to identify and revoke any excessive or unauthorized privileges immediately.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the direct risk of privilege escalation and data exposure, this vulnerability should be treated as a critical priority. Organizations must apply the vendor-supplied patches on an emergency basis. Although this CVE is not currently listed on the CISA KEV list, its severity warrants immediate attention. We recommend prioritizing the patch deployment and subsequently performing a thorough audit of all dashboard permissions to detect and revert any unauthorized changes that may indicate prior compromise.