{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-22T08:26:29.112","vulnerabilities":[{"cve":{"id":"CVE-2025-24887","sourceIdentifier":"security-advisories@github.com","published":"2025-04-30T19:15:55.070","lastModified":"2025-05-19T11:51:33.870","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenCTI is an open-source cyber threat intelligence platform. In versions starting from 6.4.8 to before 6.4.10, the allow/deny lists can be bypassed, allowing a user to change attributes that are intended to be unmodifiable by the user. It is possible to toggle the `external` flag on/off and change the own token value for a user. It is also possible to edit attributes that are not in the allow list, such as `otp_qr` and `otp_activated`. If external users exist in the OpenCTI setup and the information about these users identities is sensitive, the above vulnerabilities can be used to enumerate existing user accounts as a standard low privileged user. This issue has been patched in version 6.4.10."},{"lang":"es","value":"OpenCTI es una plataforma de inteligencia de ciberamenazas de código abierto. En versiones desde la 6.4.8 hasta anteriores a la 6.4.10, se pueden omitir las listas de permitidos/denegados, lo que permite al usuario cambiar atributos que no se deben modificar. Es posible activar o desactivar la opción \"external\" y cambiar el valor del token de un usuario. También es posible editar atributos que no están en la lista de permitidos, como \"otp_qr\" y \"otp_activated\". Si existen usuarios externos en la configuración de OpenCTI y la información sobre sus identidades es confidencial, las vulnerabilidades mencionadas anteriormente se pueden utilizar para enumerar las cuentas de usuario existentes como un usuario estándar con privilegios bajos. Este problema se ha corregido en la versión 6.4.10."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-284"},{"lang":"en","value":"CWE-657"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:*","versionStartExcluding":"6.4.8","versionEndIncluding":"6.4.10","matchCriteriaId":"5CD9EE37-D774-47BF-9839-67971932C2CB"}]}]}],"references":[{"url":"https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-8262-pw2q-5qc3","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}