CVE-2024-58128
📋 TL;DR
This vulnerability allows attackers with admin privileges in MISP to inject malicious scripts via menu_custom_right_link parameters through the web interface, leading to cross-site scripting (XSS) attacks. It affects MISP instances running versions before 2.4.193. Admin users can exploit this to execute arbitrary JavaScript in the context of other users' sessions.
💻 Affected Systems
- MISP (Malware Information Sharing Platform)
📦 What is this software?
Misp by Misp
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin privileges could steal session cookies, perform actions as other users, or redirect users to malicious sites, potentially compromising the entire MISP instance and sensitive threat intelligence data.
Likely Case
Admin users could inject persistent XSS payloads that execute when other users view the affected menu links, allowing session hijacking or limited privilege escalation within the application.
If Mitigated
With proper admin account security and monitoring, impact is limited to authenticated admin users only, reducing the attack surface significantly.
🎯 Exploit Status
Exploitation requires admin privileges but is straightforward through the web interface. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.193
Vendor Advisory: https://github.com/MISP/MISP/releases/tag/v2.4.193
Restart Required: Yes
Instructions:
1. Backup your MISP instance and database. 2. Update to version 2.4.193 or later using git: 'git pull origin 2.4'. 3. Run the update script: 'sudo -u www-data bash /var/www/MISP/app/Console/cake Admin update'. 4. Restart your web server (Apache/Nginx). 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict Admin Privileges
allLimit admin accounts to only trusted personnel and implement strong authentication controls.
Input Validation Filter
allImplement web application firewall rules or input validation to block script injection in menu_custom_right_link parameters.
🧯 If You Can't Patch
- Implement strict access controls for admin accounts and monitor admin activity logs
- Deploy a WAF with XSS protection rules to filter malicious input
🔍 How to Verify
Check if Vulnerable:
Check your MISP version by navigating to Administration -> Server Settings -> Diagnostics in the web interface, or check the version file: cat /var/www/MISP/VERSION.jsonCheck Version:
cat /var/www/MISP/VERSION.json | grep -o '"version":"[^"]*' | cut -d'"' -f4Verify Fix Applied:
Verify version is 2.4.193 or later using the same methods. Also check that menu_custom_right_link parameters are properly sanitized in the UI.📡 Detection & Monitoring
Log Indicators:
- Unusual admin activity modifying menu links
- HTTP requests containing script tags in menu_custom_right_link parameters
- Multiple failed login attempts on admin accounts
Network Indicators:
- Unexpected JavaScript execution in MISP web interface
- Suspicious outbound connections from MISP server
SIEM Query:
source="misp_logs" AND (event="admin_menu_update" OR parameters CONTAINS "script")