EIQ-2020-0002
|
ID |
EIQ-2020-0002 |
|
CVE |
- |
|
Description |
A signed-in user can use platform rules to send a GET request to a remote host |
|
Date |
03 Feb 2020 |
|
Severity |
1 - LOW |
|
CVSSv3 score |
CVSSv3 score not available on NIST NVD. |
|
Status |
|
|
Assessment |
A signed-in platform user without admin access rights can use the titles of tasks, titles of enrichments, and titles of discovery rules to send a GET request to a remote host through a browser. The request may reveal the IP address of the user, and various headers that the browser sends. It can also be used to send GET requests to other systems that user browser has access to, including internal networks. The vulnerability does not allow threat actors to steal cookies, and does not enable responses to be viewed. |
|
Mitigation |
Upgrade to EclecticIQ Platform 2.7.0 or later. |
|
Affected versions |
2.6.0 and earlier. |
|
Notes |
- |
2.7.0< Back to all security issues and mitigation actions
In release notes 2.7.0