Cross site scripting vulnerability in the comments
In MISP 2.4.78 (and below), a MISP user having access to a MISP instance can inject JavaScript in a comment field, aka XSS.
The comment field is not part of the MISP synchronisation and only impacts the users of the same instance.
Fixes
MISP versions below 2.4.79 are vulnerable. This vulnerability is fixed in version 2.4.79.
CVE
Acknowledgement
CIRCL would like to thank the reporters Jurgen Jans and Cedric Van Bockhaven from Deloitte.
Classification of this document
TLP:CLEAR information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.0 - TLP:CLEAR - First version (20170825)