CVE-2022-30290

In OpenCTI through 5.2.4, a broken access control vulnerability has been identified in the profile endpoint. An attacker can abuse the identified vulnerability in order to arbitrarily change their registered e-mail address as well as their API key, even though such action is not possible through the interface, legitimately.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 45%
VendorProductVersion
citeumopencti
𝑥
≤ 5.2.4
𝑥
= Vulnerable software versions
References
https://github.com/OpenCTI-Platform/opencti/releases
https://www.enisa.europa.eu/topics/threat-risk-management/vulnerability-disclosure
https://github.com/OpenCTI-Platform/opencti/releases
https://www.enisa.europa.eu/topics/threat-risk-management/vulnerability-disclosure