CVE-2023-28884 – This vulnerability allows cross-site scripting ... (How to Fix)

Q: What is the severity of CVE-2023-28884?

CVE-2023-28884 has a CVSS score of 6.1 (MEDIUM). This vulnerability allows cross-site scripting (XSS) attacks in MISP's community index page. Attackers can inject malicious scripts that execute in victims' browsers when viewing the community index. All MISP instances running version 2.4.169 are affected.

📋 TL;DR

This vulnerability allows cross-site scripting (XSS) attacks in MISP's community index page. Attackers can inject malicious scripts that execute in victims' browsers when viewing the community index. All MISP instances running version 2.4.169 are affected.

💻 Affected Systems

Products:

MISP (Malware Information Sharing Platform)

Versions: 2.4.169

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the community index page in the specified version.

📦 What is this software?

Malware Information Sharing Platform by Misp Project

View all CVEs affecting Malware Information Sharing Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially compromising the entire MISP instance and sensitive threat intelligence data.

🟠

Likely Case

Session hijacking leading to unauthorized access to threat intelligence data, manipulation of MISP data, or credential theft from authenticated users.

🟢

If Mitigated

Limited impact due to same-origin policy restrictions, but still allows attacker-controlled content execution in victim browsers.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (viewing the community index) but XSS payloads are simple to craft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.170 and later

Vendor Advisory: https://github.com/MISP/MISP/commit/b94c7978e5e6b1db369abeedbbf00bca975b08b7

Restart Required: No

Instructions:

1. Update MISP to version 2.4.170 or later. 2. Apply the patch from the GitHub commit. 3. Clear browser caches and verify the fix.

🔧 Temporary Workarounds

Input Sanitization

all

Implement additional input validation and output encoding for community index parameters

Modify app/Lib/Tools/CustomPaginationTool.php to sanitize user input

🧯 If You Can't Patch

Restrict access to the community index page using web application firewall rules
Implement Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check if MISP version is 2.4.169 by visiting the about page or checking the version file

Check Version:

cat /var/www/MISP/VERSION.json | grep version

Verify Fix Applied:

Verify version is 2.4.170+ and test community index page with XSS payloads

📡 Detection & Monitoring

Log Indicators:

Unusual parameters in community index requests
JavaScript payloads in URL parameters

Network Indicators:

Suspicious script tags in HTTP requests to community index

SIEM Query:

web_access_logs WHERE url LIKE '%/events/index/community%' AND (params CONTAINS '<script' OR params CONTAINS 'javascript:')

📊 Metadata

CVE ID: CVE-2023-28884

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: March 27, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/MISP/MISP/commit/b94c7978e5e6b1db369abeedbbf00bca975b08b7 Patch
https://zigrin.com/advisories/misp-dom-based-xss/ Third Party Advisory
https://github.com/MISP/MISP/commit/b94c7978e5e6b1db369abeedbbf00bca975b08b7 Patch
https://zigrin.com/advisories/misp-dom-based-xss/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28884, you might also want to check these: