EIQ-2018-0002
ID |
EIQ-2018-0002 (Former ref.: 1801-02) |
CVE |
- |
Description |
Missing authorization checks on some endpoints |
Date |
- |
Status |
2.3.1 (partially) 2.4.0 (completely) |
Severity |
3 - HIGH |
CVSSv3 score |
CVSSv3 score not available on NIST NVD. |
Assessment |
Discovered API endpoints allow an existing user of the platform to view/modify intelligence created by another user. |
Mitigation |
From release 2.3.1, unauthorized users cannot upload, edit, or download attachments. An overhaul of the permission system is on the roadmap for future iterations. |
Affected versions |
- |
Notes |
This risk assumes an adversary has existing access to the platform and a valid user account. The majority of risk can be mitigated by monitoring audit logs for account misuse. |