lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AM4PRD85MB0052B6F1A0F08786C21BD4E3B3990@AM4PRD85MB0052.NAMPRD85.PROD.OUTLOOK.COM>
Date: Sun, 27 Aug 2017 09:12:09 +0000
From: "NL Deloitte Zero Day (NL - Amsterdam)" <ZeroDay@...oitte.nl>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CVE-2017-13671 - MISP Stored XSS

Hi list,

We have found a Stored Cross-site scripting vulnerability in MISP (Malware Information Sharing Platform & Threat Sharing).

[Description]
Cross-site scripting (XSS) vulnerability in the comments of the events within MISP before 2.4.79 allows remote
attackers to inject arbitrary web script or HTML via a POST request.

------------------------------------------

[Additional Information]
The comment functionality in the event section in MISP  is vulnerable to a stored cross-site scripting (XSS) attack. The comment functionality allow an attacker to insert pre-defined tags like e.g. [code] or [quote] which are then converted to HTML code by the server. By using a mix of different tags, the HTML code will be broken and an attacker can inject arbitrary JavaScript or HTML code. This however only impacts users of the same instance since comments are not synchronized.

------------------------------------------

[Vulnerability Type]
Cross Site Scripting (XSS)

------------------------------------------

[Vendor of Product]
MISP (Malware Information Sharing Platform & Threat Sharing)

------------------------------------------

[Affected Product Code Base]
MISP 2.4.79 and earlier

------------------------------------------

[Affected Component]
Event comment component (app/View/Helper/CommandHelper.php)

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Attack Vectors]
An attacker could use the command section of an event to store malicious JavaScript code that for example loads external content serving malware in the database. Since the comment section can be used by non-privilliged users, an attacker could use this vulnerability to escalate privilleges.

------------------------------------------

[Reference & Solution]
Credits: https://github.com/MISP/MISP/commit/6eba658d4a648b41b357025d864c19a67412b8aa
Update: http://www.misp-project.org/2017/08/25/MISP.2.4.79.released.html


------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Discoverer]
Deloitte, Jurgen Jans & Cedric van Bockhaven

------------------------------------------

[Reserved CVE]
CVE-2017-13671

Kind regards,
Deloitte Zero Day
*Disclaimer:*

________________________________
This e-mail message and its attachments are subject to the disclaimer published at the following website of Deloitte:
http://www2.deloitte.com/nl/nl/legal/Disclaimer.html

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. Please see http://www2.deloitte.com/nl/nl/pages/about-deloitte/articles/over-deloitte.html for a more detailed description of DTTL and its member firms.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ