MISP v2.5.24 - Security & Stability Update
This release focuses on security enhancements, bug fixes, and minor improvements to stability and functionality.
- GCVE-1-2025-0010 < MISP 2.5.24 - Arbitrary file-hash inclusion via templates in the template engine in MispAttribute allows a web user to obtain the MD5 hash of any file accessible to them via inclusion of tmp_name in templates.
- GCVE-1-2025-0011 < MISP 2.5.24 - Invalid check for uploaded file validity in EventsController can lead to arbitrary file inclusion / deletion via import modules by spoofing the tmp_name of the request.
- GCVE-1-2025-0012 < MISP 2.5.24 - Potential vulnerability in file check upload but this vulnerability is non-exploitable as the code is never executed. This vulnerability information is kept for archiving.
- GCVE-1-2025-0013 < MISP 2.5.24 - Authorization bypass / improper access control in app/Controller/SharingGroupBlueprintsController.php in MISP on web application /or API allows an authenticated low-privilege user to inject arbitrary organizations into existing sharing groups (including groups that should not be extendable), thereby granting those organizations access to shared resources and escalating access via crafted sharing-group blueprints or API requests that bypass validation.
- GCVE-1-2025-0014 < MISP 2.5.24 - Cross-site scripting in Mermaid chart rendering component in MISP event report allows a remote attacker part of a MISP community to execute arbitrary JavaScript in the victim’s browser via injection of HTML tags in raw Mermaid charts synchronized through event reports.
- GCVE-1-2025-0015 < MISP 2.5.24 - Cross-site scripting in decaying tool simulation UI/component in MISP on web application allows an attacker/org who can set an organization’s display name to execute arbitrary JavaScript in other users’ browsers when they view or run simulations via a crafted organization name containing a script payload that is rendered unsanitized when a specific attribute is chosen for the simulation.
- GCVE-1-2025-0016 < MISP 2.5.24 - Local file inclusion in [ImportFromUrl() URL handling component in MISP event report (with pandoc support) on server-side document import feature / web application allows an attacker who can supply a URL to read local filesystem documents and disclose sensitive information (limited to document file types) via providing file:// URLs to ImportFromUrl() that are fetched without proper scheme/host validation.
Thanks to Raphael Lob and Jeroen Pinoy from NATO Cyber Security Center for the security evaluation and report.
