GCVE-1-2026-0003

Vulnerability from gna-1 – Published: 2026-01-13 10:50 – Updated: 2026-01-13 10:54
VLAI?
Title
Stored/Reflected XSS via Unsanitized Parameters in URL Generation and JavaScript Context
Summary
A cross-site scripting (XSS) vulnerability exists in the web application due to improper sanitization of user-controlled input when generating URLs and embedding parameters into JavaScript contexts. In app/View/Elements/genericElements/SideMenu/side_menu.ctp, the $id parameter was passed directly into a JavaScript function call without HTML escaping, allowing an attacker to inject arbitrary JavaScript code via a crafted identifier. In app/View/Templates/ajax/template_choices.ctp, user-controlled values (Template.id, $id, and template metadata) were embedded directly into an inline onClick handler and HTML attributes without sufficient context-aware escaping, enabling XSS through crafted URLs or manipulated template data. An attacker able to supply or influence these parameters could craft malicious links that, when clicked by a victim, execute arbitrary JavaScript in the context of the authenticated user. This could lead to session hijacking, account takeover, or unauthorized actions within the application. The issue requires user interaction (e.g., clicking a crafted link) to be exploited.
Severity ?
6.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
misp misp Affected: ≤ 2.5.31
Create a notification for this product.
Credits
Mathis Franel Sami Mokaddem (aka Graphman)
Relationships ?
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "misp",
          "vendor": "misp",
          "versions": [
            {
              "lessThanOrEqual": "2.5.31",
              "status": "affected"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mathis Franel"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Sami Mokaddem"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA cross-site scripting (XSS) vulnerability exists in the web application due to improper sanitization of user-controlled input when generating URLs and embedding parameters into JavaScript contexts.\u003c/p\u003e\n\u003cp\u003eIn \u003ccode\u003eapp/View/Elements/genericElements/SideMenu/side_menu.ctp\u003c/code\u003e, the \u003ccode\u003e$id\u003c/code\u003e parameter was passed directly into a JavaScript function call without HTML escaping, allowing an attacker to inject arbitrary JavaScript code via a crafted identifier.\u003c/p\u003e\n\u003cp\u003eIn \u003ccode\u003eapp/View/Templates/ajax/template_choices.ctp\u003c/code\u003e, user-controlled values (\u003ccode\u003eTemplate.id\u003c/code\u003e, \u003ccode\u003e$id\u003c/code\u003e, and template metadata) were embedded directly into an inline \u003ccode\u003eonClick\u003c/code\u003e handler and HTML attributes without sufficient context-aware escaping, enabling XSS through crafted URLs or manipulated template data.\u003c/p\u003e\n\u003cp\u003eAn attacker able to supply or influence these parameters could craft malicious links that, when clicked by a victim, execute arbitrary JavaScript in the context of the authenticated user. This could lead to session hijacking, account takeover, or unauthorized actions within the application.\u003c/p\u003e\n\u003cp\u003eThe issue requires user interaction (e.g., clicking a crafted link) to be exploited.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "A cross-site scripting (XSS) vulnerability exists in the web application due to improper sanitization of user-controlled input when generating URLs and embedding parameters into JavaScript contexts.\n\n\nIn app/View/Elements/genericElements/SideMenu/side_menu.ctp, the $id parameter was passed directly into a JavaScript function call without HTML escaping, allowing an attacker to inject arbitrary JavaScript code via a crafted identifier.\n\n\nIn app/View/Templates/ajax/template_choices.ctp, user-controlled values (Template.id, $id, and template metadata) were embedded directly into an inline onClick handler and HTML attributes without sufficient context-aware escaping, enabling XSS through crafted URLs or manipulated template data.\n\n\nAn attacker able to supply or influence these parameters could craft malicious links that, when clicked by a victim, execute arbitrary JavaScript in the context of the authenticated user. This could lead to session hijacking, account takeover, or unauthorized actions within the application.\n\n\nThe issue requires user interaction (e.g., clicking a crafted link) to be exploited."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-18",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-18 XSS Targeting Non-Script Elements"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "orgId": "00000000-0000-4000-9000-000000000000"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/MISP/MISP/commit/48e0376b535ea6d26d631d8259923a29f1a6de4e"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Stored/Reflected XSS via Unsanitized Parameters in URL Generation and JavaScript Context",
      "x_gcve": [
        {
          "recordType": "advisory"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "00000000-0000-4000-9000-000000000000",
    "datePublished": "2026-01-13T10:50:00.000Z",
    "dateUpdated": "2026-01-13T10:54:13.659223Z",
    "requesterUserId": "00000000-0000-4000-9000-000000000000",
    "serial": 1,
    "state": "PUBLISHED",
    "vulnId": "GCVE-1-2026-0003",
    "vulnerabilitylookup_history": [
      [
        "alexandre.dulaunoy@circl.lu",
        "2026-01-13T10:50:48.587127Z"
      ],
      [
        "alexandre.dulaunoy@circl.lu",
        "2026-01-13T10:54:13.659223Z"
      ]
    ]
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.