Headline
CVE-2022-27244: fix: [security] stored XSS in the user add/edit forms · MISP/MISP@61d4d36
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.
Permalink
Browse files
fix: [security] stored XSS in the user add/edit forms
- a malicious site administrator could store an XSS payload in the custom auth name which would be executed each time the administrator modifies a user
- as reported by Ianis BERNARD - NATO Cyber Security Centre
- Loading branch information
1 parent dc63cb7 commit 61d4d3670593b78e4dab7a11eb620b7a372f30e6
Showing with 2 additions and 2 deletions.
- +1 −1 app/View/Users/admin_add.ctp
- +1 −1 app/View/Users/admin_edit.ctp
@@ -13,7 +13,7 @@
$password = false;
} else {
$userType = Configure::read(‘Plugin.CustomAuth_name’) ? Configure::read(‘Plugin.CustomAuth_name’) : 'External authentication’;
echo $this->Form->input('external_auth_required’, array(‘type’ => ‘checkbox’, ‘label’ => $userType . ' user’));
echo $this->Form->input('external_auth_required’, array(‘type’ => ‘checkbox’, ‘label’ => h($userType) . ' user’));
}
echo sprintf(
'<div class="clear"></div><div %s>%s</div>’,
@@ -16,7 +16,7 @@
$password = false;
} else {
$userType = Configure::read(‘Plugin.CustomAuth_name’) ? Configure::read(‘Plugin.CustomAuth_name’) : 'External authentication’;
echo $this->Form->input('external_auth_required’, array(‘type’ => ‘checkbox’, ‘label’ => $userType . ' user’));
echo $this->Form->input('external_auth_required’, array(‘type’ => ‘checkbox’, ‘label’ => h($userType) . ' user’));
}
echo sprintf(
'<div class="clear"></div><div %s>%s</div>’,
0 comments on commit 61d4d36
Please sign in to comment.