73 matches found
CVE-2020-29006
The CVE-2020-29006 issue affects MISP before 2.4.135, due to missing ACL checks in GalaxyElementsController.php and GalaxyElement.php. The vulnerability enables improper access control, with CVSS v3.1: Network, Privileges NONE, UI NONE, Scope UNCHANGED, Impact HIGH on Confidentiality, Integrity, ...
CVE-2023-48656
CVE-2023-48656 affects MISP versions prior to 2.4.176 due to a flaw in app/Model/AppModel.php that mishandles order clauses. The issue’s impact is described as high for confidentiality, integrity, and availability. The connected documents confirm the affected software/version range and the root c...
CVE-2023-50918
MISP prior to 2.4.182 is affected by a vulnerability in app/Controller/AuditLogsController.php where ACLs for audit logs are mishandled. The root cause is improper access control handling for audit logs, potentially enabling unauthorized access or disclosure of audit data. Remediation is to upgra...
CVE-2023-48658
The CVE-2023-48658 entry affects MISP prior to 2.4.176. The vulnerability lies in app/Model/AppModel.php, which lacks a checkParam function for allowed characters (alphanumerics, underscore, dash, period, space). This could allow improper input handling leading to a CRITICAL impact (per CVSS 3.1:...
CVE-2023-49926
Summary : CVE-2023-49926 affects MISP prior to 2.4.179, where the event timeline widget is vulnerable to XSS via the file app/Lib/Tools/EventTimelineTool.php. The root cause is insufficient filtering/escaping of user-supplied data in the event timeline tool. Impact (per sources) : Unauthorized ex...
CVE-2026-56446
MISP is affected by CVE-2026-56446 where an authenticated site administrator could configure an arbitrary filesystem path for the NDJSON error log via JsonLogTool. Logged data can contain attacker-controlled content, enabling direction of log output to a web-accessible PHP file and potentially in...
CVE-2026-56423
Summary: CVE-2026-56423 affects MISP Core where bulk deletion (Event Reports and Sharing Groups) used broad role permissions instead of per-object authorization checks, enabling instance-wide deletions by eligible users. What was vulnerable: EventReportsController::deleteSelection relied on the g...
CVE-2026-8080
CVE-2026-8080 affects MISP core, specifically the old templating engine, where template element attribute type and category values were not validated. This stored XSS vulnerability impacts versions before 2.5.37 and is tied to the old engine later removed in 2.5.38. The CVSS-derived metrics indic...
CVE-2026-44381
MISP (open source threat intelligence platform) prior to version 2.5.37 contains a SQL injection vulnerability in handling of user-controlled ordering parameters on the event and shadow attribute listing endpoints. The affected code accepts order/sort values from request parameters and injects th...
CVE-2026-56425
CVE-2026-56425 affects the AAD authentication plugin for MISP (OAuth 2.0). The vulnerability stems from using session_id() as the OAuth state parameter, lack of session rotation after login, no dedicated nonce for the state, and not enforcing HTTPS for the redirect URI. Additional issue: OAuth er...
CVE-2026-39962
MISP (before version 2.5.36) is affected by an LDAP injection in ApacheAuthenticate.php: improper neutralization of special elements in an LDAP query allows an unsanitized username value to influence the search filter when ApacheAuthenticate.apacheEnv uses a user-controlled server variable (not R...
CVE-2026-10861
An open redirect vulnerability affects MISP in UsersController::routeafterlogin(), where the pre_login_requested_url session key is used as the post-login redirect destination without enforcing that it is a local path. An unauthenticated attacker can lure a user to a trusted MISP instance and, af...
CVE-2026-56447
The CVE describes a vulnerability in MISP where an authenticated site administrator could set the Kafka_rdkafka_config to an arbitrary filesystem path. MISP parses the referenced INI and forwards its options to librdkafka; a crafted INI could utilize options like plugin.library.paths to load an a...
CVE-2026-10856
CVE-2026-10856 concerns an open redirect in the MISP dashboard button widget due to a URL validation flaw. A crafted relative-looking URL could be accepted as a local path while browsers treat it as an external URL, especially when paths begin with /\ and browsers normalize backslashes to slashes...
CVE-2026-10855
CVE-2026-10855 concerns an authorization flaw in the MISP Event Template Importer overwrite workflow. During overwrite, the system checked for a matching template but did not verify that the importing user belonged to the organization that owned the template. This could allow an authenticated use...
CVE-2026-10864
The vulnerability CVE-2026-10864 affects MISP dashboard widgets (New Users and New Organisations). The issue stems from how field filtering and redaction are applied to the user-selected field list, which could leave the field set empty and cause the underlying query to fall back to returning uni...
CVE-2026-56424
CVE-2026-56424 affects MISP core and describes multiple broken access-control flaws where authorization checks target the wrong entity or where ownership checks are missing on write paths. In affected subsystems, a lower-privileged authenticated user with relevant feature permissions could cause ...
CVE-2026-10854
CVE-2026-10854 affects MISP: a visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based acce...
CVE-2026-10863
CVE-2026-10863 affects the correlations over-correlation endpoint in the application, specifically the overCorrelations() function in app/Controller/CorrelationsController.php. The vulnerability arises from accepting an order parameter from user-controlled named request parameters, which could al...
CVE-2025-67906
CVE-2025-67906 affects MISP prior to 2.5.28, where the app/View/Elements/Workflows/executionPath.ctp component is vulnerable to XSS due to improper handling of user-supplied data in the workflow execution path. This could allow injected scripts to run in a user’s browser. Remediation: upgrade to ...
CVE-2026-10860
In CVE-2026-10860, a logic error in the MISP CRUD component delete handler bypasses validation due to missing parentheses in the delete condition, allowing a DELETE request to proceed even when the delete validation callback rejects the operation. An authenticated attacker with access to an affec...
CVE-2026-44379
Affected software: MISP (Threat Intelligence and Sharing Platform). Prior to version 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field, allowing submission of malformed UUID values. This could lead to integrity issues or unexpected behavior in code paths assuming...
CVE-2026-44380
CVE-2026-44380 (MISP) is an improper access-control flaw in the authentication key reset feature present before version 2.5.37. An authenticated organization administrator could reset auth keys for site administrator accounts within the same organization, since non-site administrators were not ex...