GCVE-1-2025-0038

Vulnerability from gna-1 – Published: 2025-12-10 14:10 – Updated: 2025-12-10 14:16
VLAI?
Summary
A cross-site scripting (XSS) vulnerability was identified in two MISP views: * ajaxTemplateTag.ctp * Users/admin_index.ctp 1. ajaxTemplateTag.ctp The JavaScript function call used for removing a template tag included both the tag ID and tag name. Even though the tag name was escaped with h(), its placement inside a JavaScript string literal within an HTML attribute represents a fragile construction. Under specific conditions, crafted tag names containing special characters may break out of the JavaScript context, enabling XSS. The patch removes the unsafe second parameter: By eliminating unnecessary exposure of user-controlled data to JavaScript, the potential XSS vector is removed. 2. Users/admin_index.ctp The admin user list view passed unescaped filter parameters into the getPopup handler. If $urlparams contained attacker-influenced content, a crafted URL could inject JavaScript that would execute when an administrator clicked “Modify filters.” The vulnerabilities are classified as low impact and high difficulty, as noted in the patch. Exploitation requires: * The attacker to create or manipulate tag names or URL parameters in specific ways. * An administrator to interact with the affected UI elements (e.g., clicking “Remove tag” or “Modify filters”).
Severity ?
5 (Medium)
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
misp misp Affected: < 2.5.27
Create a notification for this product.
Credits
🕵️‍♂️ Jeroen Pinoy 🐞 Andras Iklody (the Insomniac MISP lead dev)
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "misp",
          "vendor": "misp",
          "versions": [
            {
              "lessThan": "2.5.27",
              "status": "affected"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jeroen Pinoy"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Andras Iklody"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA cross-site scripting (XSS) vulnerability was identified in two MISP views:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003eajaxTemplateTag.ctp\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003eUsers/admin_index.ctp\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n1. \u003ccode\u003eajaxTemplateTag.ctp\u003c/code\u003e\n\u003cp\u003eThe JavaScript function call used for removing a template tag included both the tag ID and tag name.\u003c/p\u003e\u003cp\u003eEven though the tag name was escaped with \u003ccode\u003eh()\u003c/code\u003e, its placement inside a JavaScript string literal within an HTML attribute represents a fragile construction. Under specific conditions, crafted tag names containing special characters may break out of the JavaScript context, enabling XSS. The patch removes the unsafe second parameter:\u003cbr\u003e\u003c/p\u003e\u003cdiv\u003eBy eliminating unnecessary exposure of user-controlled data to JavaScript, the potential XSS vector is removed.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e2. \u003ccode\u003eUsers/admin_index.ctp\u003c/code\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe admin user list view passed unescaped filter parameters into the \u003ccode\u003egetPopup\u003c/code\u003e handler.\u003cbr\u003e\u003cbr\u003eIf $urlparams contained attacker-influenced content, a crafted URL could inject JavaScript that would execute when an administrator clicked \u201cModify filters.\u201d\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eThe vulnerabilities are classified as \u003cstrong\u003elow impact\u003c/strong\u003e and \u003cstrong\u003ehigh difficulty\u003c/strong\u003e, as noted in the patch. Exploitation requires:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe attacker to create or manipulate tag names or URL parameters in specific ways.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAn administrator to interact with the affected UI elements (e.g., clicking \u201cRemove tag\u201d or \u201cModify filters\u201d).\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e"
            }
          ],
          "value": "A cross-site scripting (XSS) vulnerability was identified in two MISP views:\n\n\n\n  *  \najaxTemplateTag.ctp\n\n\n\n\n  *  \nUsers/admin_index.ctp\n\n\n\n\n\n\n\n1. ajaxTemplateTag.ctp\nThe JavaScript function call used for removing a template tag included both the tag ID and tag name.\n\nEven though the tag name was escaped with h(), its placement inside a JavaScript string literal within an HTML attribute represents a fragile construction. Under specific conditions, crafted tag names containing special characters may break out of the JavaScript context, enabling XSS. The patch removes the unsafe second parameter:\n\n\nBy eliminating unnecessary exposure of user-controlled data to JavaScript, the potential XSS vector is removed.\n\n\n\n\n2. Users/admin_index.ctp\n\n\n\n\nThe admin user list view passed unescaped filter parameters into the getPopup handler.\n\nIf $urlparams contained attacker-influenced content, a crafted URL could inject JavaScript that would execute when an administrator clicked \u201cModify filters.\u201d\n\n\n\n\nThe vulnerabilities are classified as low impact and high difficulty, as noted in the patch. Exploitation requires:\n\n\n\n  *  \nThe attacker to create or manipulate tag names or URL parameters in specific ways.\n\n\n\n\n  *  \nAn administrator to interact with the affected UI elements (e.g., clicking \u201cRemove tag\u201d or \u201cModify filters\u201d)."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "orgId": "00000000-0000-4000-9000-000000000000"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/MISP/MISP/commit/27f65c52ab66fdc67e86883bd7f28b02a8f24aa0"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Reflected XSS in MISP Template Tag Removal and MISP Admin User Filter Handling",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "00000000-0000-4000-9000-000000000000",
    "datePublished": "2025-12-10T14:10:00.000Z",
    "dateUpdated": "2025-12-10T14:16:55.918270Z",
    "requesterUserId": "00000000-0000-4000-9000-000000000000",
    "serial": 1,
    "state": "PUBLISHED",
    "vulnId": "gcve-1-2025-0038",
    "vulnerabilitylookup_history": [
      [
        "alexandre.dulaunoy@circl.lu",
        "2025-12-10T14:10:48.440939Z"
      ],
      [
        "alexandre.dulaunoy@circl.lu",
        "2025-12-10T14:16:55.918270Z"
      ]
    ]
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.