CVE-2024-54674 is a stored cross-site scripting (XSS) vulnerability identified in the open-source Malware Information Sharing Platform & Threat Sharing (MISP) software, specifically in the app/View/GalaxyClusters/cluster_export_misp_galaxy.ctp component. This vulnerability exists in MISP versions through 2.5.2 and is triggered when exporting custom clusters into the misp-galaxy format. The flaw allows an attacker to inject malicious JavaScript code that is stored on the server and executed in the browser context of users who perform the export operation. The vulnerability stems from insufficient sanitization or encoding of user-supplied data before rendering it in the export template, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The attack vector is network-based, requiring no privileges but does require user interaction (exporting the cluster). The vulnerability impacts confidentiality and integrity by enabling script execution that could steal session tokens, manipulate displayed data, or perform actions on behalf of the victim user. The CVSS 3.1 score of 6.1 reflects medium severity due to the combination of ease of exploitation and potential impact. No patches or fixes are currently linked, and no known exploits have been reported in the wild, indicating this is a newly disclosed vulnerability. MISP is widely used by cybersecurity teams, CERTs, and threat intelligence communities for sharing threat data, so the vulnerability could be leveraged to compromise trusted environments if exploited.

The impact of CVE-2024-54674 is primarily on confidentiality and integrity within organizations using vulnerable MISP versions. Successful exploitation could allow attackers to execute arbitrary scripts in the context of users exporting clusters, potentially leading to theft of session cookies, unauthorized actions within the MISP interface, or injection of malicious content into exported data. This could undermine trust in threat intelligence sharing platforms and lead to further compromise if attackers pivot from stolen credentials or session tokens. Although availability is not directly affected, the reputational damage and potential data leakage could be significant for organizations relying on MISP for critical security operations. Given MISP’s role in cybersecurity communities worldwide, the vulnerability could facilitate targeted attacks against security teams, especially in sectors like government, finance, and critical infrastructure. The requirement for user interaction (exporting clusters) limits automated exploitation but does not eliminate risk, especially in environments with many users or automated workflows.

To mitigate CVE-2024-54674, organizations should: 1) Upgrade MISP to a version where this vulnerability is patched once available; monitor official MISP channels for updates. 2) Implement strict input validation and output encoding on all user-supplied data in export templates to prevent script injection. 3) Restrict export functionality to trusted users and limit permissions to reduce exposure. 4) Educate users about the risks of exporting data from untrusted sources and encourage cautious handling of exported files. 5) Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution contexts. 6) Monitor logs and user activity for unusual export behavior that could indicate exploitation attempts. 7) Consider isolating MISP instances or using network segmentation to limit attacker movement if compromise occurs. These steps go beyond generic advice by focusing on both immediate risk reduction and long-term secure coding practices.