Fluid Attacks Database

Description

OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For example, a request to /graphql?'"--> will trigger an alert. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pycti	=1.2.1 \|\| =1.2.11 \|\| =1.2.12 \|\| =1.2.13 \|\| =1.2.14 \|\| =1.2.15 \|\| =1.2.2 \|\| =1.2.4 \|\| =1.2.9 \|\| =2.0.0 \|\| =2.0.1 \|\| =2.0.2 \|\| =2.0.3 \|\| =2.1.10 \|\| =2.1.11 \|\| =2.1.12 \|\| =2.1.13 \|\| =2.1.3 \|\| =2.1.4 \|\| =2.1.5 \|\| =2.1.6 \|\| =2.1.7 \|\| =2.1.8 \|\| =2.1.9 \|\| =3.0.0 \|\| =3.0.1 \|\| =3.0.2 \|\| =3.0.3 \|\| =3.1.0 \|\| =3.1.1 \|\| =3.1.2 \|\| =3.2.0 \|\| =3.2.1 \|\| =3.2.2 \|\| =3.2.3 \|\| =3.2.4 \|\| =3.2.5 \|\| =3.2.6 \|\| =3.2.7 \|\| =3.3.0 \|\| =3.3.1 \|\| >=0 <=3.3.1	3.3.2

Aliases

1. CVE-2020-370442. NVD-2020-370443. OSV-PYSEC-2026-1154. OSV-2020-370445. GCVE-2020-370446. vulncheck.com

References

1. https://www.opencti.io/

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.