Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Network-reachable web UI (AV:N), straightforward injection (AC:L), requires authenticated workflow-editor account (PR:L), needs victim to load page (UI:R), script crosses session/authorization boundary (S:C) with full session compromise.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.
AnalysisAI
Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated users with workflow privileges to inject arbitrary JavaScript via the workflow execution path view (executionPath.ctp), where doT.js template expressions used unescaped interpolation. Successful exploitation against a user who views the affected page (UI:R) results in scope-changed compromise of the victim's MISP session, including high-confidentiality/integrity/availability impact (CVSS 9.0). Publicly available exploit code exists in researcher-published repositories; no CISA KEV listing at time of analysis.
Technical ContextAI
MISP is an open-source threat intelligence sharing platform written in PHP (CakePHP) with client-side templating provided by doT.js. In doT.js, the {{=expr}} syntax performs raw, unescaped interpolation, while {{!expr}} HTML-encodes the value. The pre-patch executionPath.ctp template rendered workflow node attributes (icon, icon_class, icon_path, name) through {{=}}, so any attacker-influenced workflow metadata was injected verbatim into the DOM - a textbook CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. The affected CPE is cpe:2.3:a:misp-project:misp:*:*:*:*:*:*:*:* covering all builds prior to 2.5.28.
RemediationAI
Vendor-released patch: upgrade to MISP 2.5.28 or later, which replaces unsafe doT.js {{=}} interpolation with HTML-escaped {{!}} interpolation in the workflow execution path template (fix commit https://github.com/MISP/MISP/commit/1f39deb572da7ecb5855e30ff3cc8cbcaa0c1054, release diff https://github.com/MISP/MISP/compare/v2.5.27...v2.5.28). If immediate upgrade is not feasible, restrict the workflow_user / site_admin roles to a minimum set of trusted operators so untrusted users cannot author workflow node metadata, audit existing workflows for suspicious icon/name fields, and consider deploying a Content Security Policy that disallows inline scripts on the MISP UI - note this may break other MISP UI components that rely on inline script and should be validated in staging. As a last resort, disabling the workflows feature in config.php prevents access to the vulnerable view but removes legitimate automation functionality.
SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m
Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe
Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin
Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to
Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o
LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers
Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu
Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to
Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio
OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot
Authorization bypass in MISP versions through 2.5.38 lets authenticated users delete records via HTTP DELETE requests ev
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today