Home > Vulnerability Database > CVE-2025-24887

Mend.io Vulnerability Database

CVE-2025-24887

Good to know:

Date: April 30, 2025

OpenCTI is an open-source cyber threat intelligence platform. In versions starting from 6.4.8 to before 6.4.10, the allow/deny lists can be bypassed, allowing a user to change attributes that are intended to be unmodifiable by the user. It is possible to toggle the "external" flag on/off and change the own token value for a user. It is also possible to edit attributes that are not in the allow list, such as "otp_qr" and "otp_activated". If external users exist in the OpenCTI setup and the information about these users identities is sensitive, the above vulnerabilities can be used to enumerate existing user accounts as a standard low privileged user. This issue has been patched in version 6.4.10.

Severity Score

6.3

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-24887

Url: https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-8262-pw2q-5qc3

Url: https://www.mend.io/vulnerability-database/CVE-2025-24887

Severity Score

6.3

Weakness Type (CWE)

Improper Access Control

CWE-284

Violation of Secure Design Principles

CWE-657

Top Fix

Upgrade Version

Upgrade to version https://github.com/OpenCTI-Platform/opencti.git - 6.4.10

Learn More

CVSS v3.1

Base Score:	6.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-24887

Good to know:

Date: April 30, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?