[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] CVE-2017-13671 - MISP Stored XSS

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] CVE-2017-13671 - MISP Stored XSS
From: "NL Deloitte Zero Day (NL - Amsterdam)" <ZeroDay@xxxxxxxxxxx>
Date: Sun, 27 Aug 2017 09:12:09 +0000

Hi list,

We have found a Stored Cross-site scripting vulnerability in MISP (Malware 
Information Sharing Platform & Threat Sharing).

[Description]
Cross-site scripting (XSS) vulnerability in the comments of the events within 
MISP before 2.4.79 allows remote
attackers to inject arbitrary web script or HTML via a POST request.

------------------------------------------

[Additional Information]
The comment functionality in the event section in MISP  is vulnerable to a 
stored cross-site scripting (XSS) attack. The comment functionality allow an 
attacker to insert pre-defined tags like e.g. [code] or [quote] which are then 
converted to HTML code by the server. By using a mix of different tags, the 
HTML code will be broken and an attacker can inject arbitrary JavaScript or 
HTML code. This however only impacts users of the same instance since comments 
are not synchronized.

------------------------------------------

[Vulnerability Type]
Cross Site Scripting (XSS)

------------------------------------------

[Vendor of Product]
MISP (Malware Information Sharing Platform & Threat Sharing)

------------------------------------------

[Affected Product Code Base]
MISP 2.4.79 and earlier

------------------------------------------

[Affected Component]
Event comment component (app/View/Helper/CommandHelper.php)

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Attack Vectors]
An attacker could use the command section of an event to store malicious 
JavaScript code that for example loads external content serving malware in the 
database. Since the comment section can be used by non-privilliged users, an 
attacker could use this vulnerability to escalate privilleges.

------------------------------------------

[Reference & Solution]
Credits: 
https://github.com/MISP/MISP/commit/6eba658d4a648b41b357025d864c19a67412b8aa
Update: http://www.misp-project.org/2017/08/25/MISP.2.4.79.released.html


------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Discoverer]
Deloitte, Jurgen Jans & Cedric van Bockhaven

------------------------------------------

[Reserved CVE]
CVE-2017-13671

Kind regards,
Deloitte Zero Day
*Disclaimer:*

________________________________
This e-mail message and its attachments are subject to the disclaimer published 
at the following website of Deloitte:
http://www2.deloitte.com/nl/nl/legal/Disclaimer.html

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK 
private company limited by guarantee ("DTTL"), its network of member firms, and 
their related entities. DTTL and each of its member firms are legally separate 
and independent entities. DTTL (also referred to as "Deloitte Global") does not 
provide services to clients. Please see 
http://www2.deloitte.com/nl/nl/pages/about-deloitte/articles/over-deloitte.html 
for a more detailed description of DTTL and its member firms.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Trend Micro Hosted Email Security (HES) - Email Interception and Direct Object Reference
Next by Date: [FD] ConnMan #ConnManDo Vulnerability
Previous by thread: [FD] Trend Micro Hosted Email Security (HES) - Email Interception and Direct Object Reference
Next by thread: [FD] ConnMan #ConnManDo Vulnerability
Index(es):
- Date
- Thread