Total
68 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-10246 | 1 Misp | 1 Misp | 2023-03-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp. | |||||
| CVE-2022-48329 | 1 Misp | 1 Misp | 2023-02-28 | N/A | 9.8 CRITICAL |
| MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php. | |||||
| CVE-2023-24027 | 1 Misp | 1 Misp | 2023-01-27 | N/A | 6.1 MEDIUM |
| In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name. | |||||
| CVE-2022-27243 | 1 Misp | 1 Misp | 2022-03-25 | 6.8 MEDIUM | 7.8 HIGH |
| An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting. | |||||
| CVE-2022-27244 | 1 Misp | 1 Misp | 2022-03-25 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user. | |||||
| CVE-2022-27245 | 1 Misp | 1 Misp | 2022-03-25 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF. | |||||
| CVE-2022-27246 | 1 Misp | 1 Misp | 2022-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default. | |||||
| CVE-2021-39302 | 1 Misp | 1 Misp | 2021-08-23 | 6.8 MEDIUM | 9.8 CRITICAL |
| MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. | |||||
| CVE-2021-37534 | 1 Misp | 1 Misp | 2021-08-03 | 3.5 LOW | 5.4 MEDIUM |
| app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster. | |||||
| CVE-2021-37743 | 1 Misp | 1 Misp | 2021-08-02 | 3.5 LOW | 5.4 MEDIUM |
| app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format. | |||||
| CVE-2020-11458 | 1 Misp | 1 Misp | 2021-07-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are passwords from database.php or GPG key passphrases from config.php. | |||||
| CVE-2020-15412 | 1 Misp | 1 Misp | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact form. | |||||
| CVE-2020-14969 | 1 Misp | 1 Misp | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute. | |||||
| CVE-2019-9482 | 1 Misp | 1 Misp | 2021-07-21 | 3.5 LOW | 5.3 MEDIUM |
| In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only). | |||||
| CVE-2020-15411 | 1 Misp | 1 Misp | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader. | |||||
| CVE-2021-36212 | 1 Misp | 1 Misp | 2021-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view. | |||||
| CVE-2021-35502 | 1 Misp | 1 Misp | 2021-07-01 | 7.5 HIGH | 9.8 CRITICAL |
| app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index. | |||||
| CVE-2021-31780 | 1 Misp | 1 Misp | 2021-05-05 | 5.0 MEDIUM | 7.5 HIGH |
| In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is reused. | |||||
| CVE-2021-27904 | 1 Misp | 1 Misp | 2021-03-08 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors. | |||||
| CVE-2020-24085 | 1 Misp | 1 Misp | 2021-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code. | |||||