Misp Security Vulnerabilities
An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and...
9.8CVSS
7.3AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME...
9.8CVSS
7.5AI Score
0.001EPSS
app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit...
9.8CVSS
7.4AI Score
0.001EPSS
app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline...
6.1CVSS
6.4AI Score
0.0005EPSS
An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard...
6.1CVSS
5.9AI Score
0.0005EPSS
6.1CVSS
6AI Score
0.0005EPSS
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and...
9.8CVSS
9.4AI Score
0.002EPSS
MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and...
9.8CVSS
9.3AI Score
0.002EPSS
In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import...
9.8CVSS
9.4AI Score
0.002EPSS
In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history...
6.1CVSS
5.9AI Score
0.001EPSS
In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview...
6.1CVSS
6AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox...
6.1CVSS
5.9AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy...
5.4CVSS
5.1AI Score
0.001EPSS
9.8CVSS
9.4AI Score
0.003EPSS
An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json"...
7.5CVSS
7.5AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on...
4.8CVSS
4.8AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag...
5.4CVSS
5.1AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login...
5.4CVSS
5.1AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a...
4.8CVSS
4.7AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file...
7.8CVSS
7.6AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to...
8.8CVSS
8.5AI Score
0.002EPSS
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by...
6.1CVSS
6.2AI Score
0.001EPSS
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec...
9.8CVSS
9.3AI Score
0.002EPSS
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org']...
9.8CVSS
9.8AI Score
0.001EPSS
app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster...
5.4CVSS
5.2AI Score
0.001EPSS
app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON...
5.4CVSS
5.2AI Score
0.001EPSS
app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy...
5.4CVSS
5.2AI Score
0.001EPSS
app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups...
6.1CVSS
5.9AI Score
0.001EPSS
app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to...
9.8CVSS
9.3AI Score
0.002EPSS
In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is...
7.5CVSS
7.1AI Score
0.002EPSS
An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended...
5.5CVSS
5.5AI Score
0.0004EPSS
A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript...
6.1CVSS
8.1AI Score
0.001EPSS
MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite...
6.1CVSS
5.8AI Score
0.001EPSS
MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript:...
6.1CVSS
5.9AI Score
0.001EPSS
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a...
9.1CVSS
9.1AI Score
0.002EPSS
6.1CVSS
5.8AI Score
0.001EPSS
app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment...
6.1CVSS
6.2AI Score
0.001EPSS
MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and...
9.8CVSS
7.3AI Score
0.002EPSS
In MISP 2.4.134, XSS exists in the template element index view because the id parameter is...
6.1CVSS
6.5AI Score
0.001EPSS
MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary...
7.5CVSS
7.5AI Score
0.002EPSS
An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login...
7.5CVSS
7.3AI Score
0.001EPSS
8.8CVSS
7.4AI Score
0.001EPSS
An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact...
4.3CVSS
7.3AI Score
0.001EPSS
An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment...
9.8CVSS
7.4AI Score
0.002EPSS
app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable...
7.5CVSS
7.3AI Score
0.002EPSS
app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes...
6.1CVSS
6.5AI Score
0.001EPSS
MISP MISP-maltego 1.4.4 incorrectly shares a MISP connection across users in a remote-transform use...
9.8CVSS
9.3AI Score
0.002EPSS
app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are passwords from...
4.9CVSS
5.2AI Score
0.001EPSS
MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to...
6.1CVSS
5.9AI Score
0.001EPSS
MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to...
6.1CVSS
5.9AI Score
0.001EPSS