Hi list,
We have found a Stored Cross-site scripting vulnerability in MISP (Malware Information Sharing Platform & Threat Sharing).
[Description]
Cross-site scripting (XSS) vulnerability in the comments of the events within MISP before 2.4.79 allows remote
attackers to inject arbitrary web script or HTML via a POST request.
------------------------------------------
[Additional Information]
The comment functionality in the event section in MISP is vulnerable to a stored cross-site scripting (XSS) attack. The comment functionality allow an attacker to insert pre-defined tags like e.g. [code] or [quote] which are then converted to HTML code by the server. By using a mix of different tags, the HTML code will be broken and an attacker can inject arbitrary JavaScript or HTML code. This however only impacts users of the same instance since comments are not synchronized.
------------------------------------------
[Vulnerability Type]
Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]
MISP (Malware Information Sharing Platform & Threat Sharing)
------------------------------------------
[Affected Product Code Base]
MISP 2.4.79 and earlier
------------------------------------------
[Affected Component]
Event comment component (app/View/Helper/CommandHelper.php)
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Attack Vectors]
An attacker could use the command section of an event to store malicious JavaScript code that for example loads external content serving malware in the database. Since the comment section can be used by non-privilliged users, an attacker could use this vulnerability to escalate privilleges.
------------------------------------------
[Reference & Solution]
Credits: https://github.com/MISP/MISP/commit/6eba658d4a648b41b357025d864c19a67412b8aa
Update: http://www.misp-project.org/2017/08/25/MISP.2.4.79.released.html
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Deloitte, Jurgen Jans & Cedric van Bockhaven
------------------------------------------
[Reserved CVE]
CVE-2017-13671
Kind regards,
Deloitte Zero Day
*Disclaimer:*
________________________________
This e-mail message and its attachments are subject to the disclaimer published at the following website of Deloitte:
http://www2.deloitte.com/nl/nl/legal/Disclaimer.html
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. Please see http://www2.deloitte.com/nl/nl/pages/about-deloitte/articles/over-deloitte.html for a more detailed description of DTTL and its member firms.