Misp · Misp · CVE-2020-24085
Name of the Vulnerable Software and Affected Versions:
MISP version 2.4.128
Description:
A cross-site scripting (XSS) issue exists due to a lack of validation in the `path` parameter, allowing an attacker to execute malicious JavaScript code. This occurs in the `SetHomePage()` function within the `UserSettingsController.php` file.
Recommendations:
For MISP version 2.4.128, consider validating the `path` parameter to prevent malicious input, and restrict the execution of JavaScript code in the `SetHomePage()` function until a proper fix is applied. As a temporary workaround, restrict access to the `UserSettingsController.php` file to minimize the risk of exploitation.