CVE-2024-58130
📋 TL;DR
This vulnerability in MISP (Malware Information Sharing Platform) allows cross-site scripting (XSS) attacks through REST endpoints that return non-JSON responses without proper sanitization. Attackers can inject malicious scripts that execute in victims' browsers when they interact with affected endpoints. All MISP instances running versions before 2.4.193 are affected.
💻 Affected Systems
- MISP (Malware Information Sharing Platform)
📦 What is this software?
Misp by Misp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect users to malicious sites, or compromise user accounts through persistent XSS payloads.
Likely Case
Attackers inject malicious JavaScript that steals session tokens or credentials when users access manipulated REST endpoints, leading to account compromise.
If Mitigated
With proper input validation and output encoding, the impact is limited to potential data leakage from unsanitized output, but no code execution.
🎯 Exploit Status
Exploitation requires knowledge of REST endpoints and ability to inject malicious payloads into responses.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.193
Vendor Advisory: https://github.com/MISP/MISP/releases/tag/v2.4.193
Restart Required: No
Instructions:
1. Backup your MISP instance and database. 2. Update to version 2.4.193 or later using git: 'git pull origin 2.4'. 3. Run the update script: 'sudo -u www-data bash /var/www/MISP/app/Console/cake Admin update'. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable affected REST endpoints
allTemporarily disable REST endpoints that return non-JSON responses until patching is possible.
Modify app/Config/routes.php to comment out or remove vulnerable REST routes
Implement WAF rules
allConfigure web application firewall to block XSS payloads in REST endpoint responses.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Enable HTTP-only and secure flags on session cookies to limit cookie theft
🔍 How to Verify
Check if Vulnerable:
Check MISP version: 'cd /var/www/MISP && git describe --tags'. If version is earlier than 2.4.193, you are vulnerable.Check Version:
cd /var/www/MISP && git describe --tagsVerify Fix Applied:
After updating, verify version is 2.4.193 or later: 'cd /var/www/MISP && git describe --tags'. Test REST endpoints that previously returned non-JSON responses.📡 Detection & Monitoring
Log Indicators:
- Unusual REST endpoint requests with script tags or JavaScript payloads
- Multiple failed authentication attempts following REST endpoint access
Network Indicators:
- HTTP requests containing script tags or JavaScript in REST endpoint parameters
- Unexpected Content-Type changes in REST responses
SIEM Query:
source="misp_logs" AND ("script" OR "javascript" OR "onload=" OR "onerror=") AND uri="/rest/*"