Filtered by vendor Misp
Subscriptions
Filtered by product Misp
Subscriptions
Total
68 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-10246 | 1 Misp | 1 Misp | 2023-03-01 | 6.1 Medium |
MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp. | ||||
CVE-2022-48329 | 1 Misp | 1 Misp | 2023-02-28 | 9.8 Critical |
MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php. | ||||
CVE-2023-24027 | 1 Misp | 1 Misp | 2023-01-27 | 6.1 Medium |
In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name. | ||||
CVE-2018-11562 | 1 Misp | 1 Misp | 2022-10-03 | N/A |
An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter. | ||||
CVE-2018-6926 | 1 Misp | 1 Misp | 2022-10-03 | N/A |
In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by the setting being only accessible to the site administrator. | ||||
CVE-2022-27243 | 1 Misp | 1 Misp | 2022-03-25 | 7.8 High |
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting. | ||||
CVE-2022-27244 | 1 Misp | 1 Misp | 2022-03-25 | 4.8 Medium |
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user. | ||||
CVE-2022-27245 | 1 Misp | 1 Misp | 2022-03-25 | 8.8 High |
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF. | ||||
CVE-2022-27246 | 1 Misp | 1 Misp | 2022-03-25 | 6.1 Medium |
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default. | ||||
CVE-2021-39302 | 1 Misp | 1 Misp | 2021-08-23 | 9.8 Critical |
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. | ||||
CVE-2021-37534 | 1 Misp | 1 Misp | 2021-08-03 | 5.4 Medium |
app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster. | ||||
CVE-2021-37743 | 1 Misp | 1 Misp | 2021-08-02 | 5.4 Medium |
app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format. | ||||
CVE-2020-14969 | 1 Misp | 1 Misp | 2021-07-21 | 7.5 High |
app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute. | ||||
CVE-2020-15411 | 1 Misp | 1 Misp | 2021-07-21 | 9.8 Critical |
An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader. | ||||
CVE-2019-9482 | 1 Misp | 1 Misp | 2021-07-21 | N/A |
In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only). | ||||
CVE-2020-11458 | 1 Misp | 1 Misp | 2021-07-21 | 4.9 Medium |
app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are passwords from database.php or GPG key passphrases from config.php. | ||||
CVE-2020-15412 | 1 Misp | 1 Misp | 2021-07-21 | 4.3 Medium |
An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact form. | ||||
CVE-2021-36212 | 1 Misp | 1 Misp | 2021-07-08 | 6.1 Medium |
app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view. | ||||
CVE-2021-35502 | 1 Misp | 1 Misp | 2021-07-01 | 9.8 Critical |
app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index. | ||||
CVE-2021-31780 | 1 Misp | 1 Misp | 2021-05-05 | 7.5 High |
In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is reused. |