MISP - XSS with cortex type attributes Key Information Date: 18.05.2018 Affected Vendor: CIRCL - Computer Incident Response Center Luxembourg Affected Product: MISP - Malware Information Sharing Platform & Open Standards For Threat Information Sharing - https://www.misp-project.org/ Vulnerable Version: 2.4.91 Fixed Version: 2.4.92 CVSS: 6.4 Medium (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) Recommendations: Update to MISP version 2.4.92 Vulnerability Details This is very dangerous because every user with permissions to add attributes can attack any other user, including an administrator, exfiltrating for example an auth key. PoC Easiest way to reproduce it: 1. Create an event 2. Add an attribute 3. Click on the value of the newly created attribute (Cortex object) PoC with stealing auth key Fix CVE CVE-2018-11245 Credits Dawid Czarnecki References https://github.com/MISP/MISP/commit/5efc07b12f82301a6086fd3433fedd69fe7119d3 https://www.cvedetails.com/cve/CVE-2018-11245/ https://nvd.nist.gov/vuln/detail/CVE-2018-11245