Headline
CVE-2022-30289: Vulnerability Disclosure
A stored Cross-site Scripting (XSS) vulnerability was identified in the Data Import functionality of OpenCTI through 5.2.4. An attacker can abuse the vulnerability to upload a malicious file that will then be executed by a victim when they open the file location.
Responsible vulnerability disclosure
Vulnerability disclosure refers to the process of identifying, reporting and patching weaknesses of software, hardware or services that can be exploited.
Limited/Coordinated/Responsible vulnerability disclosure refers to when an identifier works with a coordinator or vendor to minimise the risk of the identified vulnerability. Once a patch has been developed, the coordinator or vendor will publish the vulnerability information alongside the remediation measures.
In the context of responsible vulnerability disclosure, ENISA coordinated together with the development team of the OpenCTI opensource project the below:
****New vulnerabilities discovered by ENISA****
Vulnerabilities Title: Stored XSS (CVE-2022-30289) and broken access control (CVE-2022-30290) in OpenCTI
Vulnerable version: 5.2.4
Fixed version: 5.3.0
CVE numbers: CVE-2022-30289, CVE-2022-30290
Discovered: May 2022
**Vulnerabilities Description
**
CVE-2022-30289
A stored Cross-site Scripting (XSS) vulnerability was identified in the Data Import functionality of OpenCTI through 5.2.4. An attacker can abuse the vulnerability to upload a malicious file that will then be executed by a victim when they open the file location.
An attacker can store malicious JavaScript by uploading a file through the Data Import functionality. This malicious JavaScript will be then executed later whenever a victim opens the file location.
CVE-2022-30290
In OpenCTI through 5.2.4, a broken access control vulnerability has been identified in the profile endpoint. An attacker can abuse the identified vulnerability in order to arbitrarily change their registered e-mail address as well as their API key, even though such action is not possible through the interface, legitimately.
An attacker can modify their e-mail address used by the system, as well as the API key, even though such action is not possible through legitimate channels.
Solution
Upgrade to the latest version available: https://github.com/OpenCTI-Platform/opencti/releases