Login Sign Up

CVE-2023-48659

9.8 CRITICAL
Cross-Site Scripting

📋 TL;DR

This vulnerability in MISP (Malware Information Sharing Platform) involves improper parameter parsing in AppController.php that enables reflected cross-site scripting (XSS). Attackers can inject malicious scripts via crafted URLs, affecting all users of vulnerable MISP instances. The vulnerability allows execution of arbitrary JavaScript in victims' browsers.

💻 Affected Systems

Products:
  • MISP (Malware Information Sharing Platform)
Versions: All versions before 2.4.176
Operating Systems: All platforms running MISP
Default Config Vulnerable: ⚠️ Yes
Notes: All MISP installations with default configurations are vulnerable. The vulnerability is in the core controller code.

📦 What is this software?

Malware Information Sharing Platform by Misp Project

View all CVEs affecting Malware Information Sharing Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts and data.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions performed in victims' browsers via injected JavaScript.

🟢

If Mitigated

Limited impact with proper Content Security Policy (CSP), input validation, and output encoding in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (clicking malicious link) but is straightforward. Public advisory includes exploitation details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.176

Vendor Advisory: https://github.com/MISP/MISP/commit/37ecf81b84a01baa4d4b1fade4de94a9018c32ed

Restart Required: Yes

Instructions:

1. Backup your MISP instance and database. 2. Update to MISP version 2.4.176 or later. 3. Restart the web server (Apache/Nginx). 4. Clear application caches if configured.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for all URL parameters in web application firewall or proxy

Content Security Policy

linux

Implement strict CSP headers to mitigate XSS impact

Add to web server config: Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

  • Implement web application firewall with XSS protection rules
  • Restrict access to MISP interface to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Check MISP version via web interface admin panel or command: grep -i version /var/www/MISP/app/Config/config.php

Check Version:

grep -i "'version'" /var/www/MISP/app/Config/config.php | head -1

Verify Fix Applied:

Verify version is 2.4.176 or higher and check that commit 37ecf81b84a01baa4d4b1fade4de94a9018c32ed is applied

📡 Detection & Monitoring

Log Indicators:

  • Unusual URL parameters with script tags or JavaScript in access logs
  • Multiple failed parameter parsing attempts

Network Indicators:

  • HTTP requests with suspicious parameters containing script tags or encoded JavaScript

SIEM Query:

web_access_logs | where url contains "<script" or url contains "javascript:" or url contains "%3Cscript"

📊 Metadata

CVE ID: CVE-2023-48659
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: November 17, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON