HackDig : Dig high-quality web security articles for hackers

CVE-2017-13671 - MISP Stored XSS

2017-08-29 08:40
Hi list,

We have found a Stored Cross-site scripting vulnerability in MISP (Malware Information Sharing Platform & Threat

Cross-site scripting (XSS) vulnerability in the comments of the events within MISP before 2.4.79 allows remote
attackers to inject arbitrary web script or HTML via a POST request.


[Additional Information]
The comment functionality in the event section in MISP is vulnerable to a stored cross-site scripting (XSS) attack.
The comment functionality allow an attacker to insert pre-defined tags like e.g. [code] or [quote] which are then
converted to HTML code by the server. By using a mix of different tags, the HTML code will be broken and an attacker
can inject arbitrary JavaScript or HTML code. This however only impacts users of the same instance since comments are
not synchronized.


[Vulnerability Type]
Cross Site Scripting (XSS)


[Vendor of Product]
MISP (Malware Information Sharing Platform & Threat Sharing)


[Affected Product Code Base]
MISP 2.4.79 and earlier


[Affected Component]
Event comment component (app/View/Helper/CommandHelper.php)


[Attack Type]


[Attack Vectors]
An attacker could use the command section of an event to store malicious JavaScript code that for example loads
external content serving malware in the database. Since the comment section can be used by non-privilliged users, an
attacker could use this vulnerability to escalate privilleges.


[Reference & Solution]
Credits: https://github.com/MISP/MISP/commit/6eba658d4a648b41b357025d864c19a67412b8aa
Update: http://www.misp-project.org/2017/08/25/MISP.2.4.79.released.html


[Has vendor confirmed or acknowledged the vulnerability?]


Deloitte, Jurgen Jans & Cedric van Bockhaven


[Reserved CVE]

Kind regards,
Deloitte Zero Day

This e-mail message and its attachments are subject to the disclaimer published at the following website of Deloitte:

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"),
its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and
independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. Please see
http://www2.deloitte.com/nl/nl/pages/about-deloitte/articles/over-deloitte.html for a more detailed description of DTTL
and its member firms.

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

Source: 14/guA/7102/erusolcsidlluf/gro.stsilces

Read:4203 | Comments:0 | Tags: Xss

“CVE-2017-13671 - MISP Stored XSS”0 Comments

Submit A Comment



Blog :

Verification Code: