CVE-2024-54675 is a stored cross-site scripting (XSS) vulnerability identified in the MISP (Malware Information Sharing Platform & Threat Sharing) software, specifically in the JavaScript file app/webroot/js/workflows-editor/workflows-editor.js. This vulnerability affects MISP versions through 2.5.2 and resides in the editor interface used for creating or modifying ad-hoc workflows. Stored XSS occurs when malicious input is saved by the application and later rendered in a way that executes the injected script in the context of other users' browsers. In this case, an attacker can craft malicious payloads that, when stored in the workflow editor, will execute when a user loads or interacts with the affected interface. The vulnerability does not require any privileges or authentication, but it does require user interaction (such as viewing or editing the workflow). The CVSS 3.1 base score is 6.1, indicating medium severity, with the vector string AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This means the attack can be launched remotely over the network with low complexity, no privileges, but requires user interaction. The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. The impact on confidentiality and integrity is low, with no impact on availability. Currently, no known exploits are reported in the wild, and no official patches or fixes have been linked or published yet. Given MISP's role in threat intelligence sharing, this vulnerability could be leveraged to execute malicious scripts that steal session tokens, manipulate displayed data, or perform actions on behalf of authenticated users, potentially undermining trust in the platform.

The primary impact of CVE-2024-54675 is the potential for attackers to execute arbitrary JavaScript in the browsers of users interacting with the vulnerable MISP workflows editor. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, and manipulation or corruption of displayed threat intelligence data. Since MISP is widely used by security teams, government agencies, and private organizations for sharing sensitive threat information, exploitation could result in leakage of confidential intelligence or disruption of collaborative workflows. The vulnerability does not directly affect system availability but can undermine data integrity and confidentiality. Because no authentication or privileges are required to inject the malicious payload, and only user interaction is needed, the attack surface is broad. However, the requirement for user interaction and the medium severity score indicate that exploitation is not trivial but feasible. Organizations relying on MISP for critical threat intelligence sharing may face increased risk of targeted attacks aiming to compromise user sessions or inject misleading information into workflows, potentially impacting incident response and security operations.

Until an official patch is released, organizations should implement several specific mitigations to reduce risk from CVE-2024-54675. First, restrict access to the MISP workflows editor interface to trusted users only, using network segmentation, VPNs, or IP whitelisting to limit exposure. Second, enforce strict input validation and sanitization on all user inputs in the workflows editor, if possible via custom configurations or temporary code modifications, to prevent malicious script injection. Third, educate users to be cautious when interacting with ad-hoc workflows, especially those created by untrusted sources, and to report suspicious behavior. Fourth, enable Content Security Policy (CSP) headers on the MISP web server to restrict execution of inline scripts and loading of untrusted resources, mitigating the impact of injected scripts. Fifth, monitor logs and user activity for unusual patterns that may indicate exploitation attempts. Finally, stay updated with MISP vendor announcements and apply patches promptly once available. If feasible, consider deploying web application firewalls (WAFs) with rules targeting XSS payloads in the workflows editor endpoints to provide an additional layer of defense.