CVE-2026-54395
Description
MISP UiBeta event index view contains a reflected XSS vulnerability where crafted URL parameters bypass HTML escaping to execute arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MISP UiBeta event index view contains a reflected XSS vulnerability where crafted URL parameters bypass HTML escaping to execute arbitrary JavaScript.
Vulnerability
The reflected cross-site scripting (XSS) vulnerability resides in the UiBeta event index view of MISP. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before JavaScript parsing, a crafted searcheventinfo parameter can restore encoded quote characters and break out of the JavaScript string. This affects MISP versions prior to the commit that introduced the fix (reference [1]).
Exploitation
An attacker can craft a malicious URL containing a specially crafted searcheventinfo value that, when opened by a victim using the UiBeta event index, triggers the XSS. No authentication or special permissions are required beyond the victim being a legitimate user of the MISP instance who triggers the vulnerable URL. The attack is reflected, meaning the payload is delivered through the URL and not stored on the server.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser in the context of the MISP instance. This can lead to information disclosure (including session tokens, CSRF tokens, and sensitive data viewed through MISP), session hijacking, and potential further compromise of the MISP instance or its users.
Mitigation
The issue is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer. The fix is implemented in commit b865deb (reference [1]). Users should update their MISP installation to a version that includes this commit. No official release version has been announced in the available references, and the vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1b865deb036cafix: [security] org logo path traversal and xss in ui_beta
2 files changed · +15 −13
app/Controller/OrganisationsController.php+10 −12 modified@@ -411,22 +411,20 @@ public function getOrgLogo($id) { throw new NotFoundException(__('Invalid organisation')); } $path = APP . 'files/img/orgs/'; - $image = null; + $realBase = realpath($path); foreach (['id', 'name', 'uuid'] as $field) { - foreach (['png', 'svg'] as $extensions) { - if (file_exists($path . $org['Organisation'][$field] . '.' . $extensions)) { - $this->response->file($path . $org['Organisation'][$field] . '.' . $extensions, ['download' => false, 'name' => $org['Organisation']['id'] . '.' . $extensions]); + foreach (['png', 'svg'] as $extension) { + $candidate = realpath($path . $org['Organisation'][$field] . '.' . $extension); + // realpath() resolves '..' and symlinks and returns false when the file does not + // exist; the prefix check rejects anything that escapes the orgs directory. Without + // it an attacker-controlled field such as the organisation name (e.g. + // '../../../../AI-marketing') would allow path traversal to arbitrary png/svg files. + if ($candidate !== false && $realBase !== false && str_starts_with($candidate, $realBase . DS)) { + $this->response->file($candidate, ['download' => false, 'name' => $org['Organisation']['id'] . '.' . $extension]); return $this->response; } } } - if ($image) { - $filePath = $path . $image; - $this->response->file($filePath, array('download' => false, 'name' => $image)); - return $this->response; - } else { - throw new NotFoundException(__('Organisation logo not found')); - } - + throw new NotFoundException(__('Organisation logo not found')); } }
app/View/Themed/UiBeta/Events/index.ctp+5 −1 modified@@ -120,7 +120,11 @@ </select> <input type="text" id="quickFilterField" class="form-control beta-search-input" placeholder="<?= __('Enter value to search') ?>" data-searchkey="<?= h($searchKey) ?>"> <button id="quickFilterButton" class="btn btn-primary beta-search-button"><?= __('Filter') ?></button> - <button class="btn btn-default beta-advanced-filter-button" onclick="getPopup('<?= h($urlparams) ?>', 'events', 'filterEventIndex')"> + <?php /* json_encode emits a properly-escaped JS string literal; h() then guards the + attribute layer. Plain h($urlparams) inside a single-quoted JS string is unsafe + here: the browser HTML-decodes the onclick value before JS parsing, restoring any + ' and allowing a crafted searcheventinfo value to break out (XSS). */ ?> + <button class="btn btn-default beta-advanced-filter-button" onclick="getPopup(<?= h(json_encode($urlparams)) ?>, 'events', 'filterEventIndex')"> <i class="fa fa-search"></i> <?= __('Advanced Filter...') ?> </button> <button id="multi-delete-button" class="btn btn-default hidden mass-delete" onclick="multiSelectDeleteEvents()" title="<?= __('Delete selected events') ?>">
Vulnerability mechanics
Root cause
"The `$urlparams` value is inserted into a single-quoted JavaScript string using only HTML escaping, but the browser HTML-decodes attribute values before JS parsing, allowing a crafted `searcheventinfo` value containing `'` to break out of the string."
Attack vector
An attacker crafts a malicious URL containing a `searcheventinfo` parameter that includes a single quote character (`'`) HTML-encoded as `'`. The `$urlparams` value derived from this parameter is placed by the template directly into a single-quoted JavaScript string inside an `onclick` handler, protected only by `h()` (HTML escaping). Because the browser HTML-decodes attribute values before JavaScript parsing, the `'` sequence is restored to a literal single quote, allowing the attacker to break out of the JavaScript string and inject arbitrary code. The attacker then lures a victim using the MISP UiBeta event index view to visit this URL; the injected script executes in the victim's browser in the security context of the MISP instance. The preconditions are network-level delivery of the crafted URL and that the victim is a MISP user who opens the UiBeta event index page.
What the fix does
The fix wraps `$urlparams` with `json_encode()` before the existing `h()` call. `json_encode()` produces a properly escaped JavaScript string literal (e.g. it escapes single quotes as `\u0027`), so any attempt by an attacker to inject a quote via an HTML entity such as `'` will be rendered harmless. When the browser HTML-decodes the attribute value, the JavaScript engine sees a valid string literal that cannot be broken out of. The `h()` function continues to provide HTML-escaping for the attribute layer as a defense-in-depth measure. The patch also adds a code comment explaining why the previous single `h()` was insufficient.
Preconditions
- inputAttacker must craft a URL with a malicious `searcheventinfo` parameter containing an HTML-encoded single quote (`'`).
- authVictim must be logged into a MISP instance and open the UiBeta event index page with the crafted URL.
- networkThe URL must be delivered to the victim over the network (e.g. via phishing link, forum post, etc.).
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.