CVE-2020-37044 in OpenCTI
Summary
by MITRE • 01/31/2026
OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For example, a request to /graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> will trigger an alert. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/14/2026
The vulnerability identified as CVE-2020-37044 affects OpenCTI version 3.3.1 and represents a critical reflected cross-site scripting flaw within the application's graphql endpoint. This security weakness enables malicious actors to execute arbitrary JavaScript code in the context of a victim's browser session, potentially leading to unauthorized access to sensitive data, session hijacking, or further exploitation of the affected system. The vulnerability manifests when the application fails to properly sanitize user input received through the query string parameter of the graphql endpoint, creating an opening for attackers to inject malicious scripts that will be executed by the victim's browser upon processing the response.
The technical implementation of this vulnerability occurs through the reflection of user-supplied input directly into the application's response without adequate sanitization or encoding mechanisms. When an attacker crafts a GET request to the /graphql endpoint with a malicious payload such as the example provided, the application processes this input and reflects it back to the victim's browser within the HTTP response. The specific payload structure demonstrates how the attacker can bypass standard input validation by using HTML tag closures and script injection techniques that exploit the lack of proper output encoding in the response handling. This vulnerability operates under the common weakness enumeration CWE-79 which categorizes improper neutralization of input during web page generation, making it a classic example of client-side script injection.
The operational impact of this vulnerability extends beyond simple alert triggering, as reflected XSS attacks can be leveraged for more sophisticated attacks including credential theft, session manipulation, and data exfiltration. An attacker could craft payloads that steal session cookies, redirect users to malicious sites, or even execute additional attacks through the victim's browser context. The confirmed exploitation on both Linux Mint and Windows 10 operating systems demonstrates the cross-platform nature of this vulnerability, making it particularly dangerous as it affects users regardless of their operating system choice. This vulnerability aligns with the attack technique described in the MITRE ATT&CK framework under T1059.001 for command and scripting interpreter, specifically targeting the execution of malicious scripts within a user's browser environment.
Mitigation strategies for this vulnerability should focus on implementing comprehensive input validation and output encoding mechanisms throughout the application's data processing pipeline. The most effective remediation involves sanitizing all user inputs received through the graphql endpoint and properly encoding any dynamic content before rendering it in the browser context. Organizations should implement Content Security Policy headers to limit script execution capabilities and establish proper input validation routines that reject or sanitize potentially malicious payloads before they can be processed. Additionally, regular security testing including dynamic application security testing and manual penetration testing should be conducted to identify similar vulnerabilities in the application's codebase. The fix should also include updating the OpenCTI application to a version that addresses this specific vulnerability, as the developers have likely implemented proper input sanitization and output encoding measures to prevent reflected XSS attacks in newer releases.