6.3

CVE-2025-24887

EPSS 0.22%
Veröffentlicht 30.04.2025 18:27:24
Zuletzt bearbeitet 19.05.2025 11:51:33
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenCTI is an open-source cyber threat intelligence platform. In versions starting from 6.4.8 to before 6.4.10, the allow/deny lists can be bypassed, allowing a user to change attributes that are intended to be unmodifiable by the user. It is possible to toggle the `external` flag on/off and change the own token value for a user. It is also possible to edit attributes that are not in the allow list, such as `otp_qr` and `otp_activated`. If external users exist in the OpenCTI setup and the information about these users identities is sensitive, the above vulnerabilities can be used to enumerate existing user accounts as a standard low privileged user. This issue has been patched in version 6.4.10.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Citeum ≫ Opencti Version > 6.4.8 <= 6.4.10

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.443

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.3	2.8	3.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
security-advisories@github.com	6.3	2.8	3.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-657 Violation of Secure Design Principles

The product violates well-established principles for secure design.

https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-8262-pw2q-5qc3

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-24887

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-24887

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-24887

EUVD