EIQ-2018-0002



ID

EIQ-2018-0002

(Former ref.: 1801-02)

CVE

-

Description

Missing authorization checks on some endpoints

Date

-

Status

images/s/en_GB/7701/d7b403a44466e5e8970db7530201039d865e79e1/_/images/icons/emoticons/check.svg 2.3.1 (partially)

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.4.0 (completely)

Severity

3 - HIGH

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Assessment

Discovered API endpoints allow an existing user of the platform to view/modify intelligence created by another user.

Mitigation

From release 2.3.1, unauthorized users cannot upload, edit, or download attachments.

An overhaul of the permission system is on the roadmap for future iterations.

Affected versions

-

Notes

This risk assumes an adversary has existing access to the platform and a valid user account.

The majority of risk can be mitigated by monitoring audit logs for account misuse.

< Back to all security issues and mitigation actions