CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2020-37044

OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For example, a request to /graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> will trigger an alert. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 11.3%

CVSS Severity

CVSS v3 Score 5.4

References

https://github.com/OpenCTI-Platform/opencti
https://www.exploit-db.com/exploits/48595
https://www.opencti.io/
https://www.vulncheck.com/advisories/opencti-cross-site-scripting

Products affected by CVE-2020-37044

Citeum » Opencti » Version: 3.3.1

cpe:2.3:a:citeum:opencti:3.3.1

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2020-37044

Products

Pricing

Contact Us