CVE-2022-29529 in MISP
Summary
by MITRE • 04/21/2022
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/23/2026
The vulnerability CVE-2022-29529 represents a stored cross-site scripting flaw within the MISP (Malware Information Sharing Platform) software ecosystem. This issue affects versions prior to 2.4.158 and specifically targets the LinOTP login field functionality. The vulnerability allows attackers to inject malicious scripts that persist within the application's database and execute whenever the affected page is accessed. The stored nature of this vulnerability means that the malicious payload remains in the system even after the initial injection, making it particularly dangerous as it can affect multiple users over time.
The technical flaw stems from inadequate input validation and output sanitization within the LinOTP authentication integration. When users enter data into the login field, the system fails to properly sanitize or escape special characters that could be interpreted as HTML or JavaScript code. This allows an attacker to submit malicious payloads that are then stored in the database and subsequently executed in the context of other users' browsers who access the affected interface. The vulnerability is classified as a stored XSS (CWE-79) under the Common Weakness Enumeration framework, which specifically addresses situations where malicious code is stored on a server and executed when accessed by other users.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities including session hijacking, credential theft, and data exfiltration. An attacker who successfully exploits this vulnerability can potentially escalate their privileges, access sensitive threat intelligence data, or manipulate the MISP platform's functionality. Given that MISP is designed for sharing critical cybersecurity information among organizations, the compromise of such a platform can have severe implications for the entire security community. The vulnerability aligns with ATT&CK technique T1566.002 for credential access through phishing and T1566.001 for social engineering attacks, as attackers can leverage this flaw to create convincing phishing pages that appear legitimate within the MISP interface.
Organizations using MISP versions prior to 2.4.158 should immediately implement mitigations including upgrading to the patched version 2.4.158 or later. Additional defensive measures include implementing strict input validation for all authentication fields, deploying web application firewalls, and conducting regular security assessments of the MISP installation. The vulnerability demonstrates the critical importance of validating and sanitizing all user inputs, particularly in authentication interfaces where attackers have the most opportunities to inject malicious content. Security teams should also consider implementing monitoring for unusual login patterns and conducting user awareness training to recognize potential phishing attempts that could exploit this vulnerability.