Description
An authorization bypass vulnerability in pinboard updates in ThoughtSpot 4.4.1 through 5.1.1 (before 5.1.2) allows a low-privilege user with write access to at least one pinboard to corrupt pinboards of another user in the application by spoofing GUIDs in pinboard update requests, effectively deleting them.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://www.vsecurity.com/resources/advisories.html
Release Notes, Vendor Advisory x_refsource_misc
https://docs.thoughtspot.com/5.1/release/notes.html
Third Party Advisory x_refsource_confirm
https://www.vsecurity.com/download/advisories/201912782-1.txt
Scores
CVSS v3
8.1
EPSS
0.0033
EPSS Percentile
55.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-639
Status
published
Products (1)
thoughtspot/thoughtspot
4.4.1 - 5.1.1
Published
Jul 09, 2019
Tracked Since
Feb 18, 2026