MISP - Reflected XSS Vulnerability Vulnerability MISP – Reflected XSS in "uploadFile" action of the Templates controller Date 22.12.2022 Affected Vendor CIRCL – Computer Incident Response Center Luxembourg Affected Product MISP – Malware Information Sharing Platform & Open Standards For Threat Information Sharing - https://www.misp-project.org/ Vulnerable Version 2.4.166 Fixed Version 2.4.167 Recommendations Update to MISP v2.4.167 Vulnerability Details The MISP is an Open Source Threat Intelligence Platform meant for sharing security-related information between various organizations. MISP is supported financially and in terms of resources by Computer Incident Response Center Luxembourg – CIRCL. The "uploadFile" action of the Templates controller is vulnerable to Reflected Cross-Site Scripting attack. When the victim opens the malicious URL and clicks on the “Upload File” box, the attacker's JavaScript code is executed. This vulnerability was detected with help of Cake Fuzzer: https://github.com/Zigrin-Security/CakeFuzzer CVE CVE-2022-47928 Credits Dawid Czarnecki References NVD https://github.com/MISP/MISP/commit/684d3e51398d4ea032b06fa4a1cd2bdf7d8b0ede