Summary
In the own user profile, there are deny and allow list for which attributes a user is allowed to update.
These allow/deny lists can be bypassed, allowing a user to change attributes that are intended to be unmodifiable by the user.
Impact
We have not identified any privilege escalation issues with this, mainly due to schema validation check are in place in the latest version, which hinders a user to for example update its own id to the same value of an existing administrator.
It is however possible to toggle the external flag on/off and change the own token value for a user.
It is also possible to edit attributes that are not in the allow list, such as otp_qr and otp_activated.
If external users exist in the OpenCTI setup and the information about these users identities is sensitive, the above vulnerabilities can be used to enumerate existing user accounts as a standard low privileged user.
itlabbet Reporter
Summary
In the own user profile, there are deny and allow list for which attributes a user is allowed to update.
These allow/deny lists can be bypassed, allowing a user to change attributes that are intended to be unmodifiable by the user.
Impact
We have not identified any privilege escalation issues with this, mainly due to schema validation check are in place in the latest version, which hinders a user to for example update its own
idto the same value of an existing administrator.It is however possible to toggle the
externalflag on/off and change the own token value for a user.It is also possible to edit attributes that are not in the allow list, such as
otp_qrandotp_activated.If external users exist in the OpenCTI setup and the information about these users identities is sensitive, the above vulnerabilities can be used to enumerate existing user accounts as a standard low privileged user.