CVE-2022-30290

EUVD-2022-52242
In OpenCTI through 5.2.4, a broken access control vulnerability has been identified in the profile endpoint. An attacker can abuse the identified vulnerability in order to arbitrarily change their registered e-mail address as well as their API key, even though such action is not possible through the interface, legitimately.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
Affected Products (NVD)
VendorProductVersion
citeumopencti
𝑥
≤ 5.2.4
𝑥
= Vulnerable software versions
References
https://github.com/OpenCTI-Platform/opencti/releases
https://www.enisa.europa.eu/topics/threat-risk-management/vulnerability-disclosure
https://github.com/OpenCTI-Platform/opencti/releases
https://www.enisa.europa.eu/topics/threat-risk-management/vulnerability-disclosure