EIQ-2020-0002



ID

EIQ-2020-0002

CVE

-

Description

A signed-in user can use platform rules to send a GET request to a remote host

Date

03 Feb 2020

Severity

1 - LOW

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.7.0

Assessment

A signed-in platform user without admin access rights can use the titles of tasks, titles of enrichments, and titles of discovery rules to send a GET request to a remote host through a browser.

The request may reveal the IP address of the user, and various headers that the browser sends.

It can also be used to send GET requests to other systems that user browser has access to, including internal networks.

The vulnerability does not allow threat actors to steal cookies, and does not enable responses to be viewed.

Mitigation

Upgrade to EclecticIQ Platform 2.7.0 or later.

Affected versions

2.6.0 and earlier.

Notes

-

< Back to all security issues and mitigation actions

In release notes 2.7.0