Stored Cross-Site Scripting in MISP by The MISP Project
CVE-2023-37307

7.5HIGH

Key Information:

Vendor: Misp-project
Status: Malware Information Sharing Platform
Vendor: CVE Published:; 30 June 2023

🔔 Create Misp-project Vulnerability Alert

What is CVE-2023-37307?

In MISP versions prior to 2.4.172, the title_for_layout function is prone to inadequate sanitization within Correlations, CorrelationExclusions, and Layouts. This could allow attackers to exploit the vulnerability by injecting malicious scripts. When these scripts execute in the browser of a user viewing the affected layouts, it could enable session hijacking, defacement, or other malicious activities, posing a significant risk to the integrity of the application and the security of its users.

References

https://github.com/MISP/MISP/commit/286c84fab0047726a6a39...

https://github.com/MISP/MISP/compare/v2.4.171...v2.4.172

https://zigrin.com/advisories/misp-stored-xss/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2023
Vulnerability Reserved
Jun 30, 2023

CVE-2023-37307 Data

JSON