CVE-2025-67906
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| misp | misp | to 2.5.28 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67906 is a stored Cross-Site Scripting (XSS) vulnerability in the MISP platform, specifically in the workflow execution path component. It arises because user-controlled inputs such as workflow names and icons are not properly escaped before being rendered in the web interface, allowing attackers to inject malicious JavaScript code. This code executes in the browsers of users who view the affected workflow, potentially leading to session hijacking, data theft, or manipulation of workflows. [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with low privileges to execute arbitrary JavaScript in the context of the MISP application. The impacts include session hijacking, user impersonation, privilege escalation, and exfiltration of sensitive data such as user lists and threat intelligence events. Because the malicious script is stored persistently, any user viewing the affected workflow can be compromised, potentially leading to account takeover and unauthorized access to confidential information. [3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject JavaScript payloads into the workflow execution path, specifically targeting the 'Trigger Name' field in user-defined workflows via POST requests to /workflows/edit/{id}. The presence of stored XSS can be confirmed by viewing the affected workflow graph at /workflows/view/{id} and checking for execution of injected scripts. Additionally, the provided Python-based Proof of Concept (PoC) scripts can be used to test for the vulnerability by injecting alert pop-ups or extracting user information. No specific network commands are provided, but testing involves interacting with the MISP web interface and using the PoC scripts. [4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading MISP to version 2.5.28 or later, where the vulnerability is fixed by properly escaping user-controlled variables in the workflow execution path template (app/View/Elements/Workflows/executionPath.ctp). If upgrading is not immediately possible, restrict access to the workflow editing and viewing features to trusted users only, and monitor for suspicious activity. Applying the patch from commit 1f39deb572da7ecb5855e30ff3cc8cbcaa0c1054 will also remediate the issue by escaping variables to prevent XSS. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary JavaScript in the context of the MISP application, potentially leading to session hijacking, data exfiltration, user impersonation, and privilege escalation. Such impacts can result in unauthorized access to sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA. Therefore, this XSS vulnerability could negatively affect compliance by exposing personal or sensitive information to attackers. [3, 4]