Mislav Božičević

Name of the Vulnerable Software and Affected Versions: MISP version 2.4.128 Description: A cross-site scripting (XSS) issue exists due to a lack of validation in the `path` parameter, allowing an attacker to execute malicious JavaScript code. This occurs in the `SetHomePage()` function within the `UserSettingsController.php` file. Recommendations: For MISP version 2.4.128, consider validating the `path` parameter to prevent malicious input, and restrict the execution of JavaScript code in the `SetHomePage()` function until a proper fix is applied. As a temporary workaround, restrict access to the `UserSettingsController.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MISP versions prior to 2.4.129 **Description** The issue concerns a lack of CSRF protection when setting a favourite homepage. This could potentially allow unauthorized actions to be performed. **Recommendations** For versions prior to 2.4.129, update to version 2.4.129 or later to resolve the issue. As a temporary workaround, consider implementing additional CSRF protection measures for the favourite homepage setting until the update can be applied.