Opencti
Monthly
Stored cross-site scripting in OpenCTI's email-message observable rendering allows an unauthenticated attacker to inject malicious script payloads via STIX data sharing or platform ingesters, which then execute in the browsers of authenticated users who view the affected observable. Versions prior to 7.260227.0 are affected; the body field of email-message observables is passed to the renderer without sanitization. Successful exploitation can chain into CSRF attacks and large-scale session token theft across the user base. No public exploit or CISA KEV listing exists at time of analysis; vendor-released patch is available.
Privilege escalation in OpenCTI prior to 6.9.7 allows an organization admin to gain elevated platform-wide privileges by adding a higher-privileged user from a different organization into their own organization, exploiting incorrect ACL enforcement on the userEdit relationAdd GraphQL mutation. The flaw yields full platform access and exposure of sensitive intelligence data; no public exploit identified at time of analysis and EPSS is very low (0.04%, 11th percentile), but the vendor-confirmed GHSA advisory and trivial attack complexity make this a meaningful tenancy-isolation issue for multi-organization deployments.
Unauthenticated attackers can escalate privileges in OpenCTI 6.6.0-6.9.12 by impersonating any user account, including the default administrator, to query the threat intelligence platform's API without providing credentials. This authentication bypass (CWE-287) permits complete unauthorized access to cyber threat intelligence data with CVSS 9.8 critical severity. The vulnerability allows attackers to bypass all authentication controls and assume administrative privileges remotely with low attack complexity. Fixed in version 6.9.13 with workaround available via configuration change. No active exploitation (CISA KEV) or public POC confirmed at time of analysis, though EPSS data was not provided.
OpenCTI versions prior to 6.9.1 contain an authorization bypass vulnerability in the GraphQL mutation 'IndividualDeletionDeleteMutation' that allows authenticated users to delete arbitrary unrelated objects such as analysis reports, not just the intended individual entities. The vulnerability stems from insufficient input validation in the API layer, enabling a user with basic mutation privileges to escalate their impact beyond intended scope. With a CVSS score of 6.5 and authenticated access requirement, this represents a moderate but actionable availability risk for organizations managing threat intelligence with OpenCTI.
OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. [CVSS 5.4 MEDIUM]
OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. [CVSS 7.5 HIGH]
Opencti versions up to 6.8.3 is affected by url redirection to untrusted site (open redirect) (CVSS 5.4).
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. [CVSS 7.1 HIGH]
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenCTI is an open cyber threat intelligence (CTI) platform. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenCTI is an open-source cyber threat intelligence platform. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Stored cross-site scripting in OpenCTI's email-message observable rendering allows an unauthenticated attacker to inject malicious script payloads via STIX data sharing or platform ingesters, which then execute in the browsers of authenticated users who view the affected observable. Versions prior to 7.260227.0 are affected; the body field of email-message observables is passed to the renderer without sanitization. Successful exploitation can chain into CSRF attacks and large-scale session token theft across the user base. No public exploit or CISA KEV listing exists at time of analysis; vendor-released patch is available.
Privilege escalation in OpenCTI prior to 6.9.7 allows an organization admin to gain elevated platform-wide privileges by adding a higher-privileged user from a different organization into their own organization, exploiting incorrect ACL enforcement on the userEdit relationAdd GraphQL mutation. The flaw yields full platform access and exposure of sensitive intelligence data; no public exploit identified at time of analysis and EPSS is very low (0.04%, 11th percentile), but the vendor-confirmed GHSA advisory and trivial attack complexity make this a meaningful tenancy-isolation issue for multi-organization deployments.
Unauthenticated attackers can escalate privileges in OpenCTI 6.6.0-6.9.12 by impersonating any user account, including the default administrator, to query the threat intelligence platform's API without providing credentials. This authentication bypass (CWE-287) permits complete unauthorized access to cyber threat intelligence data with CVSS 9.8 critical severity. The vulnerability allows attackers to bypass all authentication controls and assume administrative privileges remotely with low attack complexity. Fixed in version 6.9.13 with workaround available via configuration change. No active exploitation (CISA KEV) or public POC confirmed at time of analysis, though EPSS data was not provided.
OpenCTI versions prior to 6.9.1 contain an authorization bypass vulnerability in the GraphQL mutation 'IndividualDeletionDeleteMutation' that allows authenticated users to delete arbitrary unrelated objects such as analysis reports, not just the intended individual entities. The vulnerability stems from insufficient input validation in the API layer, enabling a user with basic mutation privileges to escalate their impact beyond intended scope. With a CVSS score of 6.5 and authenticated access requirement, this represents a moderate but actionable availability risk for organizations managing threat intelligence with OpenCTI.
OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. [CVSS 5.4 MEDIUM]
OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. [CVSS 7.5 HIGH]
Opencti versions up to 6.8.3 is affected by url redirection to untrusted site (open redirect) (CVSS 5.4).
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. [CVSS 7.1 HIGH]
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenCTI is an open cyber threat intelligence (CTI) platform. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenCTI is an open-source cyber threat intelligence platform. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.