Misp Security Vulnerabilities
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and...
9.8CVSS
9.3AI Score
0.002EPSS
An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and...
9.8CVSS
9.3AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME...
9.8CVSS
9.4AI Score
0.001EPSS
In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclusions, and...
5.4CVSS
5.4AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on...
4.8CVSS
4.8AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json"...
7.5CVSS
7.4AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php lacks a checkParam function for alphanumerics, underscore, dash, period, and...
9.8CVSS
9.4AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles...
9.8CVSS
9.4AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.176. app/Controller/AppController.php mishandles parameter...
9.8CVSS
9.4AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query...
9.8CVSS
9.4AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles order...
9.8CVSS
9.4AI Score
0.001EPSS
6.1CVSS
5.9AI Score
0.001EPSS
app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer...
6.1CVSS
5.9AI Score
0.001EPSS
In MISP 2.4.169, app/Lib/Tools/CustomPaginationTool.php allows XSS in the community...
6.1CVSS
5.9AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy...
5.4CVSS
5.1AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox...
6.1CVSS
5.9AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag...
5.4CVSS
5.1AI Score
0.001EPSS
9.8CVSS
9.4AI Score
0.003EPSS
app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit...
9.8CVSS
9.4AI Score
0.001EPSS
app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline...
6.1CVSS
5.9AI Score
0.0005EPSS
6.1CVSS
5.9AI Score
0.0005EPSS
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login...
5.4CVSS
5.1AI Score
0.001EPSS
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger...
7.2CVSS
7.2AI Score
0.003EPSS
app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster...
5.4CVSS
5.1AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and...
6.5CVSS
6.5AI Score
0.001EPSS
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec...
9.8CVSS
9.4AI Score
0.002EPSS
An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in...
7.5CVSS
7.5AI Score
0.001EPSS
6.1CVSS
5.9AI Score
0.001EPSS
An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard...
6.1CVSS
5.9AI Score
0.0005EPSS
app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should...
4.3CVSS
4.4AI Score
0.001EPSS
MISP 2.4.172 mishandles different certificate file extensions in server sync. An attacker can obtain sensitive information because of the nature of the error...
7.5CVSS
7.3AI Score
0.001EPSS
6.1CVSS
5.9AI Score
0.001EPSS
js/event-graph.js in MISP before 2.4.169 allows XSS via the event-graph relationship...
6.1CVSS
5.9AI Score
0.001EPSS
MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to...
6.1CVSS
5.9AI Score
0.001EPSS
MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to...
6.1CVSS
5.9AI Score
0.001EPSS
MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and...
9.8CVSS
9.2AI Score
0.002EPSS
In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history...
6.1CVSS
5.9AI Score
0.001EPSS
In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import...
9.8CVSS
9.4AI Score
0.002EPSS
In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview...
6.1CVSS
6AI Score
0.001EPSS
An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an existing...
4.3CVSS
4.5AI Score
0.001EPSS
In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP...
6.1CVSS
6AI Score
0.001EPSS
An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick...
6.1CVSS
5.9AI Score
0.001EPSS
In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by....
7.2CVSS
6.9AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a...
4.8CVSS
4.7AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file...
7.8CVSS
7.5AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to...
8.8CVSS
8.5AI Score
0.002EPSS
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by...
6.1CVSS
6.2AI Score
0.001EPSS
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org']...
9.8CVSS
9.8AI Score
0.001EPSS
app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON...
5.4CVSS
5.1AI Score
0.001EPSS
app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy...
5.4CVSS
5.1AI Score
0.001EPSS