[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] CVE-2017-13671 - MISP Stored XSS
From: "NL Deloitte Zero Day (NL - Amsterdam)" <ZeroDay () deloitte ! nl>
Date: 2017-08-27 9:12:09
Message-ID: AM4PRD85MB0052B6F1A0F08786C21BD4E3B3990 () AM4PRD85MB0052 ! NAMPRD85 ! PROD ! OUTLOOK ! COM
[Download RAW message or body]
Hi list,
We have found a Stored Cross-site scripting vulnerability in MISP (Malware Information Sharing \
Platform & Threat Sharing).
[Description]
Cross-site scripting (XSS) vulnerability in the comments of the events within MISP before \
2.4.79 allows remote attackers to inject arbitrary web script or HTML via a POST request.
------------------------------------------
[Additional Information]
The comment functionality in the event section in MISP is vulnerable to a stored cross-site \
scripting (XSS) attack. The comment functionality allow an attacker to insert pre-defined tags \
like e.g. [code] or [quote] which are then converted to HTML code by the server. By using a mix \
of different tags, the HTML code will be broken and an attacker can inject arbitrary JavaScript \
or HTML code. This however only impacts users of the same instance since comments are not \
synchronized.
------------------------------------------
[Vulnerability Type]
Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]
MISP (Malware Information Sharing Platform & Threat Sharing)
------------------------------------------
[Affected Product Code Base]
MISP 2.4.79 and earlier
------------------------------------------
[Affected Component]
Event comment component (app/View/Helper/CommandHelper.php)
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Attack Vectors]
An attacker could use the command section of an event to store malicious JavaScript code that \
for example loads external content serving malware in the database. Since the comment section \
can be used by non-privilliged users, an attacker could use this vulnerability to escalate \
privilleges.
------------------------------------------
[Reference & Solution]
Credits: https://github.com/MISP/MISP/commit/6eba658d4a648b41b357025d864c19a67412b8aa
Update: http://www.misp-project.org/2017/08/25/MISP.2.4.79.released.html
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Deloitte, Jurgen Jans & Cedric van Bockhaven
------------------------------------------
[Reserved CVE]
CVE-2017-13671
Kind regards,
Deloitte Zero Day
*Disclaimer:*
________________________________
This e-mail message and its attachments are subject to the disclaimer published at the \
following website of Deloitte: http://www2.deloitte.com/nl/nl/legal/Disclaimer.html
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company \
limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL \
and each of its member firms are legally separate and independent entities. DTTL (also referred \
to as "Deloitte Global") does not provide services to clients. Please see \
http://www2.deloitte.com/nl/nl/pages/about-deloitte/articles/over-deloitte.html for a more \
detailed description of DTTL and its member firms.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic