MISP - XSS in add action of the AuthKeys controller | Web Application Security Testing

DATE

23.01.2023

Affected Vendor

CIRCL – Computer Incident Response Center Luxembourg

Affected Product

MISP – Malware Information Sharing Platform & Open Standards For Threat Information Sharing – https://www.misp-project.org/

Vulnerable version

2.4.166

Fixed version

2.4.168

CVSS

3.0 Low CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

Recommendations

Update to MISP version 2.4.168

Vulnerability details

The “Referer” HTTP request header in the “add” action of the “AuthKeys” controller is vulnerable to Reflected Cross-Site Scripting attack. This vulnerability was detected with help of Cake Fuzzer: https://github.com/Zigrin-Security/CakeFuzzer

CVE

CVE-2023-24070

Credits

Dawid Czarnecki

References

https://github.com/MISP/MISP/commit/f7238fe5e71ac065daa43c8607d02f8ac682f18f

Do you think the security of your data might be lacking? Let's find the best approach together.
Once you contact us, we will ask you about the project you want to secure.

Have Any Questions?

MISP – XSS in add action of the AuthKeys controller

NEED A CONSULTATION?

contact@zigrin.com

GPG Key

Get a free consultation