CVE-2025-67906
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-15

Last updated on: 2025-12-18

Assigner: MITRE

Description
In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67906
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
misp misp to 2.5.28 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67906 is a stored Cross-Site Scripting (XSS) vulnerability in the MISP platform, specifically in the workflow execution path component. It arises because user-controlled inputs such as workflow names and icons are not properly escaped before being rendered in the web interface, allowing attackers to inject malicious JavaScript code. This code executes in the browsers of users who view the affected workflow, potentially leading to session hijacking, data theft, or manipulation of workflows. [1, 3, 4]

Impact Analysis

This vulnerability can allow an attacker with low privileges to execute arbitrary JavaScript in the context of the MISP application. The impacts include session hijacking, user impersonation, privilege escalation, and exfiltration of sensitive data such as user lists and threat intelligence events. Because the malicious script is stored persistently, any user viewing the affected workflow can be compromised, potentially leading to account takeover and unauthorized access to confidential information. [3, 4]

Detection Guidance

This vulnerability can be detected by attempting to inject JavaScript payloads into the workflow execution path, specifically targeting the 'Trigger Name' field in user-defined workflows via POST requests to /workflows/edit/{id}. The presence of stored XSS can be confirmed by viewing the affected workflow graph at /workflows/view/{id} and checking for execution of injected scripts. Additionally, the provided Python-based Proof of Concept (PoC) scripts can be used to test for the vulnerability by injecting alert pop-ups or extracting user information. No specific network commands are provided, but testing involves interacting with the MISP web interface and using the PoC scripts. [4]

Mitigation Strategies

Immediate mitigation steps include upgrading MISP to version 2.5.28 or later, where the vulnerability is fixed by properly escaping user-controlled variables in the workflow execution path template (app/View/Elements/Workflows/executionPath.ctp). If upgrading is not immediately possible, restrict access to the workflow editing and viewing features to trusted users only, and monitor for suspicious activity. Applying the patch from commit 1f39deb572da7ecb5855e30ff3cc8cbcaa0c1054 will also remediate the issue by escaping variables to prevent XSS. [1]

Compliance Impact

The vulnerability allows attackers to execute arbitrary JavaScript in the context of the MISP application, potentially leading to session hijacking, data exfiltration, user impersonation, and privilege escalation. Such impacts can result in unauthorized access to sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA. Therefore, this XSS vulnerability could negatively affect compliance by exposing personal or sensitive information to attackers. [3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67906. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart