Security upgrade: release of TheHive versions 5.2.9 and 5.1.10

KEY FINDINGS FROM THE PENETRATION TEST 

Our in-depth security assessment revealed five vulnerabilities - three of medium severity and two of low severity. 

Medium Severity Vulnerabilities

1. SB-SEC-ADV-2023-001 (Reporting – Stored Cross-Site Scripting): This vulnerability can lead to account impersonation, including those with administrator privileges. 
2. SB-SEC-ADV-2023-002 (Attachment – Stored Cross-Site Scripting): Exploitation of this flaw can coerce a victim account to elevate another user's privileges unintentionally. 
3. SB-SEC-ADV-2023-003 (Branding Logo – Reflected Cross-Site Scripting): Similar to SB-SEC-ADV-2023-001, this vulnerability can also result in account impersonation. 

Low Severity Vulnerabilities

1. SB-SEC-ADV-2023-004 (MFA - Lack of Lockout Policy): Absence of account lockout in response to repeated incorrect multi-factor authentication attempts. 
2. SB-SEC-ADV-2023-005 (Username Enumeration): Potential for attackers to identify of accounts are registered or not on the platform. 

For detailed insights, please refer to the individual advisories on our security repository. 

REQUIRED UPDATES

To address these vulnerabilities, we have implemented patches in TheHive versions 5.2.9 and 5.1.10. We strongly urge all users to upgrade to version 5.2.9, or at least to version 5.1.10 for those still using TheHive v.5.1. 

REPORTING SECURITY ISSUES 

We encourage responsible collaboration in identifying and reporting potential security issues. Please visit our Responsible Vulnerability Disclosure Policy page for guidelines on secure reporting.

CREDITS 

We are thankful to Randorisec for its exemplary penetration testing services. RandoriSec is an offensive security company with a team of experienced consultants who help the company's clients contain technology-related risks. Their expertise has been instrumental in enhancing the security and reliability of TheHive.