Responsible vulnerability disclosure

Vulnerability disclosure refers to the process of identifying, reporting and patching weaknesses of software, hardware or services that can be exploited.

Limited/Coordinated/Responsible vulnerability disclosure refers to when an identifier works with a coordinator or vendor to minimise the risk of the identified vulnerability. Once a patch has been developed, the coordinator or vendor will publish the vulnerability information alongside the remediation measures.

In the context of responsible vulnerability disclosure, ENISA coordinated together with the development team of the OpenCTI opensource project the below:

New vulnerabilities discovered by ENISA

1. Vulnerabilities Title: Stored XSS (CVE-2022-30289) and broken access control (CVE-2022-30290) in OpenCTI
Vulnerable version: 5.2.4
Fixed version: 5.3.0
CVE numbers: CVE-2022-30289, CVE-2022-30290
Discovered: May 2022

Vulnerabilities Description

CVE-2022-30289

A stored Cross-site Scripting (XSS) vulnerability was identified in the Data Import functionality of OpenCTI through 5.2.4. An attacker can abuse the vulnerability to upload a malicious file that will then be executed by a victim when they open the file location. 

An attacker can store malicious JavaScript by uploading a file through the Data Import functionality. This malicious JavaScript will be then executed later whenever a victim opens the file location.

CVE-2022-30290

In OpenCTI through 5.2.4, a broken access control vulnerability has been identified in the profile endpoint. An attacker can abuse the identified vulnerability in order to arbitrarily change their registered e-mail address as well as their API key, even though such action is not possible through the interface, legitimately.

An attacker can modify their e-mail address used by the system, as well as the API key, even though such action is not possible through legitimate channels. 

Solution: Upgrade to the latest version available: https://github.com/OpenCTI-Platform/opencti/releases


2. Vulnerability Title: Discourse through 2.8.7 allows admins to send invitations to arbitrary email addresses at an unlimited rate.
Vulnerable version: 2.8.7
Fixed Version: 2.8.8
CVE number: CVE-2022-37458
Discovered: May 2022

Vulnerability description

CVE-2022-37458

Discourse does not implement any rate limiting on the mail invite functionality. Admin users can send invitations to arbitrary email addresses. It has been found that the affected functionality does not implement any restrictions in the number of requests per units of time. 

Solution: Upgrade to the latest version available: https://github.com/discourse/discourse

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information