Bsimvis
Monthly
Stored cross-site scripting in MISP BSimVis through v0.2.0 allows network-accessible attackers who can create or influence tag names, collection names, entity identifiers, cluster names, or tag metadata to inject malicious payloads that execute in victims' browsers. The vulnerability spans multiple client-side rendering paths in tags.js, where user-controlled values were interpolated raw into innerHTML, HTML attributes, inline JavaScript event handlers, and CSS style values - covering tag badges, tooltips, context menus, cluster cards, autocomplete suggestions, and dynamically inserted tag cards. No public exploit has been identified at time of analysis; the issue was reported and patched by CIRCL, the primary MISP development organization.
Stored cross-site scripting in MISP BSimVis through v0.2.0 allows network-accessible attackers who can create or influence tag names, collection names, entity identifiers, cluster names, or tag metadata to inject malicious payloads that execute in victims' browsers. The vulnerability spans multiple client-side rendering paths in tags.js, where user-controlled values were interpolated raw into innerHTML, HTML attributes, inline JavaScript event handlers, and CSS style values - covering tag badges, tooltips, context menus, cluster cards, autocomplete suggestions, and dynamically inserted tag cards. No public exploit has been identified at time of analysis; the issue was reported and patched by CIRCL, the primary MISP development organization.