Lucene search
+L

73 matches found

CVE
CVE
added 2020/11/24 2:17 p.m.37 views

CVE-2020-29006

The CVE-2020-29006 issue affects MISP before 2.4.135, due to missing ACL checks in GalaxyElementsController.php and GalaxyElement.php. The vulnerability enables improper access control, with CVSS v3.1: Network, Privileges NONE, UI NONE, Scope UNCHANGED, Impact HIGH on Confidentiality, Integrity, ...

9.8CVSS9.4AI score0.01231EPSS
CVE
CVE
added 2023/11/17 12:0 a.m.37 views

CVE-2023-48656

CVE-2023-48656 affects MISP versions prior to 2.4.176 due to a flaw in app/Model/AppModel.php that mishandles order clauses. The issue’s impact is described as high for confidentiality, integrity, and availability. The connected documents confirm the affected software/version range and the root c...

9.8CVSS9.4AI score0.00907EPSS
CVE
CVE
added 2023/12/15 12:0 a.m.36 views

CVE-2023-50918

MISP prior to 2.4.182 is affected by a vulnerability in app/Controller/AuditLogsController.php where ACLs for audit logs are mishandled. The root cause is improper access control handling for audit logs, potentially enabling unauthorized access or disclosure of audit data. Remediation is to upgra...

9.8CVSS9.4AI score0.00786EPSS
CVE
CVE
added 2023/11/17 12:0 a.m.35 views

CVE-2023-48658

The CVE-2023-48658 entry affects MISP prior to 2.4.176. The vulnerability lies in app/Model/AppModel.php, which lacks a checkParam function for allowed characters (alphanumerics, underscore, dash, period, space). This could allow improper input handling leading to a CRITICAL impact (per CVSS 3.1:...

9.8CVSS9.4AI score0.00907EPSS
CVE
CVE
added 2023/12/03 12:0 a.m.34 views

CVE-2023-49926

Summary : CVE-2023-49926 affects MISP prior to 2.4.179, where the event timeline widget is vulnerable to XSS via the file app/Lib/Tools/EventTimelineTool.php. The root cause is insufficient filtering/escaping of user-supplied data in the event timeline tool. Impact (per sources) : Unauthorized ex...

6.1CVSS5.9AI score0.0041EPSS
CVE
CVE
added 2026/06/22 12:31 p.m.30 views

CVE-2026-56446

MISP is affected by CVE-2026-56446 where an authenticated site administrator could configure an arbitrary filesystem path for the NDJSON error log via JsonLogTool. Logged data can contain attacker-controlled content, enabling direction of log output to a web-accessible PHP file and potentially in...

8.7CVSS6.6AI score0.00383EPSS
CVE
CVE
added 2026/06/22 11:56 a.m.29 views

CVE-2026-56423

Summary: CVE-2026-56423 affects MISP Core where bulk deletion (Event Reports and Sharing Groups) used broad role permissions instead of per-object authorization checks, enabling instance-wide deletions by eligible users. What was vulnerable: EventReportsController::deleteSelection relied on the g...

9.4CVSS6AI score0.00261EPSS
CVE
CVE
added 2026/05/07 12:7 p.m.28 views

CVE-2026-8080

CVE-2026-8080 affects MISP core, specifically the old templating engine, where template element attribute type and category values were not validated. This stored XSS vulnerability impacts versions before 2.5.37 and is tied to the old engine later removed in 2.5.38. The CVSS-derived metrics indic...

6.8CVSS5.8AI score0.00139EPSS
CVE
CVE
added 2026/05/13 8:50 p.m.26 views

CVE-2026-44381

MISP (open source threat intelligence platform) prior to version 2.5.37 contains a SQL injection vulnerability in handling of user-controlled ordering parameters on the event and shadow attribute listing endpoints. The affected code accepts order/sort values from request parameters and injects th...

9.3CVSS5.9AI score0.0054EPSS
CVE
CVE
added 2026/06/22 12:25 p.m.26 views

CVE-2026-56425

CVE-2026-56425 affects the AAD authentication plugin for MISP (OAuth 2.0). The vulnerability stems from using session_id() as the OAuth state parameter, lack of session rotation after login, no dedicated nonce for the state, and not enforcing HTTPS for the redirect URI. Additional issue: OAuth er...

9.3CVSS5.9AI score0.00258EPSS
CVE
CVE
added 2026/04/09 4:37 p.m.25 views

CVE-2026-39962

MISP (before version 2.5.36) is affected by an LDAP injection in ApacheAuthenticate.php: improper neutralization of special elements in an LDAP query allows an unsanitized username value to influence the search filter when ApacheAuthenticate.apacheEnv uses a user-controlled server variable (not R...

9.6CVSS5.9AI score0.00345EPSS
CVE
CVE
added 2026/06/04 1:26 p.m.24 views

CVE-2026-10861

An open redirect vulnerability affects MISP in UsersController::routeafterlogin(), where the pre_login_requested_url session key is used as the post-login redirect destination without enforcing that it is a local path. An unauthenticated attacker can lure a user to a trusted MISP instance and, af...

6.1CVSS5.8AI score0.00223EPSS
CVE
CVE
added 2026/06/22 12:39 p.m.24 views

CVE-2026-56447

The CVE describes a vulnerability in MISP where an authenticated site administrator could set the Kafka_rdkafka_config to an arbitrary filesystem path. MISP parses the referenced INI and forwards its options to librdkafka; a crafted INI could utilize options like plugin.library.paths to load an a...

9.3CVSS6.4AI score0.00342EPSS
CVE
CVE
added 2026/06/04 1:17 p.m.22 views

CVE-2026-10856

CVE-2026-10856 concerns an open redirect in the MISP dashboard button widget due to a URL validation flaw. A crafted relative-looking URL could be accepted as a local path while browsers treat it as an external URL, especially when paths begin with /\ and browsers normalize backslashes to slashes...

6.1CVSS5.7AI score0.00148EPSS
CVE
CVE
added 2026/06/04 1:5 p.m.21 views

CVE-2026-10855

CVE-2026-10855 concerns an authorization flaw in the MISP Event Template Importer overwrite workflow. During overwrite, the system checked for a matching template but did not verify that the importing user belonged to the organization that owned the template. This could allow an authenticated use...

5.1CVSS5.8AI score0.00154EPSS
CVE
CVE
added 2026/06/04 1:54 p.m.21 views

CVE-2026-10864

The vulnerability CVE-2026-10864 affects MISP dashboard widgets (New Users and New Organisations). The issue stems from how field filtering and redaction are applied to the user-selected field list, which could leave the field set empty and cause the underlying query to fall back to returning uni...

5.3CVSS5.8AI score0.00176EPSS
CVE
CVE
added 2026/06/22 12:17 p.m.21 views

CVE-2026-56424

CVE-2026-56424 affects MISP core and describes multiple broken access-control flaws where authorization checks target the wrong entity or where ownership checks are missing on write paths. In affected subsystems, a lower-privileged authenticated user with relevant feature permissions could cause ...

8.8CVSS5.9AI score0.00361EPSS
CVE
CVE
added 2026/06/04 12:51 p.m.20 views

CVE-2026-10854

CVE-2026-10854 affects MISP: a visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based acce...

5.3CVSS5.8AI score0.00176EPSS
CVE
CVE
added 2026/06/04 1:44 p.m.18 views

CVE-2026-10863

CVE-2026-10863 affects the correlations over-correlation endpoint in the application, specifically the overCorrelations() function in app/Controller/CorrelationsController.php. The vulnerability arises from accepting an order parameter from user-controlled named request parameters, which could al...

8.1CVSS5.8AI score0.00225EPSS
CVE
CVE
added 2025/12/15 3:25 a.m.16 views

CVE-2025-67906

CVE-2025-67906 affects MISP prior to 2.5.28, where the app/View/Elements/Workflows/executionPath.ctp component is vulnerable to XSS due to improper handling of user-supplied data in the workflow execution path. This could allow injected scripts to run in a user’s browser. Remediation: upgrade to ...

9CVSS6.1AI score0.00278EPSS
Web
CVE
CVE
added 2026/06/04 1:34 p.m.16 views

CVE-2026-10860

In CVE-2026-10860, a logic error in the MISP CRUD component delete handler bypasses validation due to missing parentheses in the delete condition, allowing a DELETE request to proceed even when the delete validation callback rejects the operation. An authenticated attacker with access to an affec...

7.9CVSS5.8AI score0.00197EPSS
CVE
CVE
added 2026/05/13 8:53 p.m.15 views

CVE-2026-44379

Affected software: MISP (Threat Intelligence and Sharing Platform). Prior to version 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field, allowing submission of malformed UUID values. This could lead to integrity issues or unexpected behavior in code paths assuming...

5.3CVSS5.9AI score0.00178EPSS
CVE
CVE
added 2026/05/13 8:51 p.m.15 views

CVE-2026-44380

CVE-2026-44380 (MISP) is an improper access-control flaw in the authentication key reset feature present before version 2.5.37. An authenticated organization administrator could reset auth keys for site administrator accounts within the same organization, since non-site administrators were not ex...

8.6CVSS5.8AI score0.00403EPSS
Total number of security vulnerabilities73