GCVE-1-2025-0037

Vulnerability from gna-1 – Published: 2025-12-10 14:01 – Updated: 2025-12-10 14:01
VLAI?
Title
Reflected XSS in MISP Dashboard Widgets via Unescaped Base URL
Summary
A cross-site scripting (XSS) vulnerability was discovered in two dashboard widgets within the MISP application: * APIActivityWidget (app/Lib/Dashboard/APIActivityWidget.php) * LoginsWidget (app/Lib/Dashboard/LoginsWidget.php) Both widgets construct HTML output using the instance’s base URL. While MISP.baseurl was properly HTML-escaped, the alternative configuration value MISP.external_baseurl was not escaped when read from configuration. If an attacker with administrative privileges can set or influence the MISP.external_baseurl configuration value, they can inject arbitrary HTML or JavaScript, which will be rendered in the dashboard widgets of other site administrators. The issue was resolved by enforcing HTML escaping on the external base URL as well. Because the affected widgets are only visible to administrators and the attack requires the attacker to already be a site administrator, the impact is limited. However, if exploited, an administrative user could inject JavaScript that executes in the browsers of other administrators viewing dashboard widgets, leading to: * Session hijacking within admin context (if cookies are accessible) * Execution of arbitrary actions as another site admin * Defacement or injection of misleading information into dashboards This is considered low impact but with high exploitation requirements, as noted in the patch.
Severity ?
7 (High)
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Green
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
misp misp Affected: < 2.5.27
Create a notification for this product.
Credits
🕵️‍♂️ Jeroen Pinoy 🐞 Andras Iklody (the Insomniac MISP lead dev)
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "misp",
          "vendor": "misp",
          "versions": [
            {
              "lessThan": "2.5.27",
              "status": "affected"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jeroen Pinoy"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Andras Iklody"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA cross-site scripting (XSS) vulnerability was discovered in two dashboard widgets within the MISP application:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003eAPIActivityWidget\u003c/code\u003e (\u003ccode\u003eapp/Lib/Dashboard/APIActivityWidget.php\u003c/code\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003eLoginsWidget\u003c/code\u003e (\u003ccode\u003eapp/Lib/Dashboard/LoginsWidget.php\u003c/code\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBoth widgets construct HTML output using the instance\u2019s base URL. While \u003ccode\u003eMISP.baseurl\u003c/code\u003e was properly HTML-escaped, the alternative configuration value \u003ccode\u003eMISP.external_baseurl\u003c/code\u003e was not escaped when read from configuration.\u003c/p\u003e\u003cp\u003eIf an attacker with administrative privileges can set or influence the \u003ccode\u003eMISP.external_baseurl\u003c/code\u003e configuration value, they can inject arbitrary HTML or JavaScript, which will be rendered in the dashboard widgets of other site administrators. The issue was resolved by enforcing HTML escaping on the external base URL as well.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eBecause the affected widgets are only visible to administrators and the attack requires the attacker to already be a site administrator, the impact is limited. However, if exploited, an administrative user could inject JavaScript that executes in the browsers of other administrators viewing dashboard widgets, leading to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSession hijacking within admin context (if cookies are accessible)\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eExecution of arbitrary actions as another site admin\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eDefacement or injection of misleading information into dashboards\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis is considered \u003cstrong\u003elow impact\u003c/strong\u003e but with \u003cstrong\u003ehigh exploitation requirements\u003c/strong\u003e, as noted in the patch.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "A cross-site scripting (XSS) vulnerability was discovered in two dashboard widgets within the MISP application:\n\n\n\n  *  \nAPIActivityWidget (app/Lib/Dashboard/APIActivityWidget.php)\n\n\n\n\n  *  \nLoginsWidget (app/Lib/Dashboard/LoginsWidget.php)\n\n\n\n\n\n\n\nBoth widgets construct HTML output using the instance\u2019s base URL. While MISP.baseurl was properly HTML-escaped, the alternative configuration value MISP.external_baseurl was not escaped when read from configuration.\n\nIf an attacker with administrative privileges can set or influence the MISP.external_baseurl configuration value, they can inject arbitrary HTML or JavaScript, which will be rendered in the dashboard widgets of other site administrators. The issue was resolved by enforcing HTML escaping on the external base URL as well.\n\n\n\nBecause the affected widgets are only visible to administrators and the attack requires the attacker to already be a site administrator, the impact is limited. However, if exploited, an administrative user could inject JavaScript that executes in the browsers of other administrators viewing dashboard widgets, leading to:\n\n\n\n  *  \nSession hijacking within admin context (if cookies are accessible)\n\n\n\n\n  *  \nExecution of arbitrary actions as another site admin\n\n\n\n\n  *  \nDefacement or injection of misleading information into dashboards\n\n\n\n\n\n\n\nThis is considered low impact but with high exploitation requirements, as noted in the patch."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "providerUrgency": "GREEN",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Green",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "orgId": "00000000-0000-4000-9000-000000000000"
      },
      "references": [
        {
          "url": "https://github.com/MISP/MISP/commit/cac45809bf2001d47e092d6efbb7965306a13148"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Reflected XSS in MISP Dashboard Widgets via Unescaped Base URL",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "00000000-0000-4000-9000-000000000000",
    "datePublished": "2025-12-10T14:01:03.200804Z",
    "dateUpdated": "2025-12-10T14:01:03.200804Z",
    "requesterUserId": "00000000-0000-4000-9000-000000000000",
    "serial": 1,
    "state": "PUBLISHED",
    "vulnId": "gcve-1-2025-0037",
    "vulnerabilitylookup_history": [
      [
        "alexandre.dulaunoy@circl.lu",
        "2025-12-10T14:01:03.200804Z"
      ]
    ]
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.