MISP 2.4.79 Cross Site Scripting

2017.08.30
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Hi list, We have found a Stored Cross-site scripting vulnerability in MISP (Malware Information Sharing Platform & Threat Sharing). [Description] Cross-site scripting (XSS) vulnerability in the comments of the events within MISP before 2.4.79 allows remote attackers to inject arbitrary web script or HTML via a POST request. ------------------------------------------ [Additional Information] The comment functionality in the event section in MISP is vulnerable to a stored cross-site scripting (XSS) attack. The comment functionality allow an attacker to insert pre-defined tags like e.g. [code] or [quote] which are then converted to HTML code by the server. By using a mix of different tags, the HTML code will be broken and an attacker can inject arbitrary JavaScript or HTML code. This however only impacts users of the same instance since comments are not synchronized. ------------------------------------------ [Vulnerability Type] Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product] MISP (Malware Information Sharing Platform & Threat Sharing) ------------------------------------------ [Affected Product Code Base] MISP 2.4.79 and earlier ------------------------------------------ [Affected Component] Event comment component (app/View/Helper/CommandHelper.php) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Attack Vectors] An attacker could use the command section of an event to store malicious JavaScript code that for example loads external content serving malware in the database. Since the comment section can be used by non-privilliged users, an attacker could use this vulnerability to escalate privilleges. ------------------------------------------ [Reference & Solution] Credits: https://github.com/MISP/MISP/commit/6eba658d4a648b41b357025d864c19a67412b8aa Update: http://www.misp-project.org/2017/08/25/MISP.2.4.79.released.html ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Deloitte, Jurgen Jans & Cedric van Bockhaven ------------------------------------------ [Reserved CVE] CVE-2017-13671 Kind regards, Deloitte Zero Day *Disclaimer:* ________________________________ This e-mail message and its attachments are subject to the disclaimer published at the following website of Deloitte: http://www2.deloitte.com/nl/nl/legal/Disclaimer.html Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. Please see http://www2.deloitte.com/nl/nl/pages/about-deloitte/articles/over-deloitte.html for a more detailed description of DTTL and its member firms.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top