CVE-2017-13671
6.1 MEDIUMapp/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments
Published: 2017-08-24 · Last updated: 2026-06-22
Severity and scoring
- CVSS
- 6.1 MEDIUM
- Vector
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- CWE
- CWE-79
Affected products
| Vendor | Product |
|---|---|
| misp-project | misp |
Description
app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2017-13671
- [Other]http://www.securityfocus.com/bid/100533
- [Patch]https://github.com/MISP/MISP/commit/6eba658d4a648b41b357025d864c19a67412b8aa
- [Other]http://www.securityfocus.com/bid/100533
- [Patch]https://github.com/MISP/MISP/commit/6eba658d4a648b41b357025d864c19a67412b8aa
Related CVEs
Same vendor
- CVE-2021-41326 — In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call (9.8 CRITICAL)
- CVE-2021-39302 — MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value (9.8 CRITICAL)
- CVE-2021-37743 — app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format (5.4 MEDIUM)
- CVE-2021-37742 — app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships (5.4 MEDIUM)
- CVE-2021-37534 — app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster (5.4 MEDIUM)
Same CWE
- CVE-2026-12425 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
- CVE-2024-30476 — PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
- CVE-2026-54198 — Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
- CVE-2026-54191 — Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)
- CVE-2026-39437 — Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions (7.1 HIGH)