On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.