This article is a part of our Vulnerability Database (back to index)
Cross-site Scripting occurrences in Misp
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name. (2022-04-20, CVE-2022-29531)
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters. (2022-04-20, CVE-2022-29530)
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field. (2022-04-20, CVE-2022-29529)
An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page." (2022-04-20, CVE-2022-29533)
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it. (2022-04-20, CVE-2022-29532)
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user. (2022-03-18, CVE-2022-27244)
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default. (2022-03-18, CVE-2022-27246)
app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships. (2021-07-30, CVE-2021-37742)
app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format. (2021-07-30, CVE-2021-37743)
app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster. (2021-07-26, CVE-2021-37534)
app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view. (2021-07-07, CVE-2021-36212)
A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code. (2021-01-26, CVE-2020-24085)
MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp. (2021-01-19, CVE-2021-25324)
MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button. (2021-01-19, CVE-2021-3184)
MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs. (2021-01-19, CVE-2021-25325)
app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field. (2020-12-06, CVE-2020-29572)
In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled. (2020-11-19, CVE-2020-28947)
app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view. (2020-05-18, CVE-2020-13153)
MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp. (2020-03-09, CVE-2020-10247)
MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp. (2020-03-09, CVE-2020-10246)
In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability. (2019-07-27, CVE-2019-14286)
A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link. (2019-05-08, CVE-2019-11812)
An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links. (2019-05-08, CVE-2019-11813)
An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot. (2019-05-08, CVE-2019-11814)
In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability. (2019-03-28, CVE-2019-10254)
An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter. (2018-05-30, CVE-2018-11562)
app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes. (2018-05-18, CVE-2018-11245)
In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module. (2018-03-23, CVE-2018-8948)
Why Cross-site Scripting can be dangerous
Cross site scripting is an attack where a web page executes code that is injected by an adversary. It usually appears, when users input is presented. This attack can be used to impersonate a user, take over control of the session, or even steal API keys.
The attack can be executed e.g. when you application injects the request parameter directly into the HTML code of the page returned to the user:
https://server.com/confirmation?message=Transaction+Complete
what results in:
<span>Confirmation: Transaction Complete</span>
In that case the message can be modified to become a valid Javascript code, e.g.:
https://server.com/confirmation?message=<script>dangerous javascript code here</script>
and it will be executed locally by the user's browser with full access to the user's personal application/browser data:
<span>Confirmation: <script>dangerous javascript code here</script></span>