An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.
4.8CVSS
4.7AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF.
8.8CVSS
8.5AI Score
0.002EPSS
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.
6.1CVSS
6.2AI Score
0.001EPSS
9.8CVSS
9.4AI Score
0.003EPSS
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.
5.4CVSS
5.1AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.
5.4CVSS
5.1AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.
5.4CVSS
5.1AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.
4.8CVSS
4.8AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page."
6.1CVSS
5.9AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.
7.5CVSS
7.4AI Score
0.001EPSS
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.
9.8CVSS
9.3AI Score
0.002EPSS
MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php.
9.8CVSS
9.2AI Score
0.002EPSS
In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.
6.1CVSS
5.9AI Score
0.001EPSS
6.1CVSS
5.9AI Score
0.0005EPSS
An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit.
6.1CVSS
5.9AI Score
0.0005EPSS
app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget.
6.1CVSS
5.9AI Score
0.0005EPSS
app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.
9.8CVSS
9.4AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.
9.8CVSS
9.4AI Score
0.001EPSS
An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp.
9.8CVSS
9.3AI Score
0.001EPSS