Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenCTI bypass of protected attribute update
Vulnerability Description
OpenCTI is an open-source cyber threat intelligence platform. In versions starting from 6.4.8 to before 6.4.10, the allow/deny lists can be bypassed, allowing a user to change attributes that are intended to be unmodifiable by the user. It is possible to toggle the `external` flag on/off and change the own token value for a user. It is also possible to edit attributes that are not in the allow list, such as `otp_qr` and `otp_activated`. If external users exist in the OpenCTI setup and the information about these users identities is sensitive, the above vulnerabilities can be used to enumerate existing user accounts as a standard low privileged user. This issue has been patched in version 6.4.10.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Vulnerability Type
访问控制不恰当
Vulnerability Title
OpenCTI 安全漏洞
Vulnerability Description
OpenCTI是OpenCTI开源的一个开放网络威胁情报平台。 OpenCTI 6.4.8至6.4.10之前版本存在安全漏洞,该漏洞源于允许绕过允许/拒绝列表,可能导致修改不可变属性和枚举用户账户。
CVSS Information
N/A
Vulnerability Type
N/A