Critical weaknesses in the MISP AAD authentication plugin expose users to session hijacking, session fixation, and credential theft due to improper OAuth 2.0 implementation.

The authentication flow suffers from multiple failures: using insecure session identifiers as OAuth state, failing to regenerate session IDs, lacking HTTPS enforcement on redirect URIs, and improper logging of parameters. These issues collectively allow for session hijacking, CSRF, and credential exposure.

With a CVSS score of 9.3, this flaw poses a severe risk of unauthorized account access. An attacker could intercept sensitive authentication tokens or hijack active user sessions, leading to full unauthorized access to the MISP platform and the sensitive intelligence data contained within.

Immediate Action: Update the MISP AAD Authentication plugin to the latest version to enable cryptographically random state values, session rotation, and mandatory HTTPS enforcement.

Proactive Monitoring: Audit authentication logs for anomalous patterns, such as multiple sessions originating from different IPs or suspicious OAuth error responses.

Compensating Controls: Force all traffic through a secure Load Balancer or WAF that mandates HTTPS and inspects incoming authentication requests for anomalous parameters.

Public Exploit Available: false

This vulnerability fundamentally breaks the security model of the AAD authentication integration. Administrators must apply the provided updates immediately to prevent attackers from bypassing authentication controls and gaining unauthorized access to the system.