Misp Security Vulnerabilities and Issues — Misp CVE List

Lucene search

MispMisp

76 matches found

CVE•added 2023/08/10 8:15 p.m.•101 views

CVE-2023-40224

MISP 2.4.174 allows XSS in app/View/Events/index.ctp.

6.1CVSS5.9AI score0.00128EPSS

CVE•added 2020/05/18 10:15 p.m.•83 views

CVE-2020-13153

app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view.

6.1CVSS5.9AI score0.0024EPSS

CVE•added 2021/06/25 9:15 p.m.•75 views

CVE-2021-35502

app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index.

9.8CVSS9.3AI score0.00433EPSS

CVE•added 2022/04/20 11:15 p.m.•73 views

CVE-2022-29532

An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.

4.8CVSS4.8AI score0.00287EPSS

CVE•added 2022/03/18 6:15 p.m.•72 views

CVE-2022-27245

An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF.

8.8CVSS8.5AI score0.00315EPSS

CVE•added 2020/12/06 12:15 a.m.•69 views

CVE-2020-29572

app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field.

6.1CVSS5.9AI score0.0024EPSS

CVE•added 2022/03/18 6:15 p.m.•69 views

CVE-2022-27244

An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.

4.8CVSS4.7AI score0.00223EPSS

CVE•added 2020/02/12 12:15 a.m.•67 views

CVE-2020-8893

An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp.

7.5CVSS7.5AI score0.00414EPSS

CVE•added 2019/06/11 5:29 p.m.•66 views

CVE-2019-12794

An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host organization of an instance cre...

6.6CVSS6.5AI score0.00359EPSS

CVE•added 2022/03/18 6:15 p.m.•66 views

CVE-2022-27243

An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting.

7.8CVSS7.5AI score0.0017EPSS

CVE•added 2021/01/26 6:15 p.m.•65 views

CVE-2020-24085

A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code.

6.1CVSS5.9AI score0.0024EPSS

CVE•added 2022/04/20 11:15 p.m.•65 views

CVE-2022-29533

An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page."

6.1CVSS5.9AI score0.00291EPSS

CVE•added 2020/02/12 12:15 a.m.•64 views

CVE-2020-8892

An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests.

8.1CVSS7.9AI score0.0051EPSS

CVE•added 2021/07/30 3:15 p.m.•64 views

CVE-2021-37743

app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.

5.4CVSS5.1AI score0.00255EPSS

CVE•added 2022/04/20 11:15 p.m.•63 views

CVE-2022-29528

An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.

9.8CVSS9.4AI score0.00492EPSS

CVE•added 2020/02/12 12:15 a.m.•62 views

CVE-2020-8891

An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid requests.

5.9CVSS5.6AI score0.0042EPSS

CVE•added 2021/01/19 4:15 p.m.•62 views

CVE-2021-25323

The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.

9.1CVSS9.2AI score0.00257EPSS

CVE•added 2021/07/30 3:15 p.m.•62 views

CVE-2021-37742

app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships.

5.4CVSS5.1AI score0.00255EPSS

CVE•added 2022/04/20 11:15 p.m.•62 views

CVE-2022-29529

An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.

5.4CVSS5.1AI score0.00341EPSS

CVE•added 2022/04/20 11:15 p.m.•62 views

CVE-2022-29530

An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.

5.4CVSS5.1AI score0.00341EPSS

CVE•added 2022/04/20 11:15 p.m.•62 views

CVE-2022-29531

An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.

5.4CVSS5.1AI score0.00341EPSS

CVE•added 2018/12/06 4:29 p.m.•60 views

CVE-2018-19908

An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filenam...

9CVSS8.8AI score0.4421EPSS

CVE•added 2020/03/09 7:15 p.m.•60 views

CVE-2020-10247

MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp.

6.1CVSS5.9AI score0.00328EPSS

CVE•added 2021/03/02 7:15 a.m.•60 views

CVE-2021-27904

An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors.

5.5CVSS5.4AI score0.00052EPSS

CVE•added 2020/02/12 12:15 a.m.•58 views

CVE-2020-8894

An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php.

6.5CVSS6.5AI score0.00412EPSS

CVE•added 2024/02/09 9:15 a.m.•58 views

CVE-2024-25675

An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp.

9.8CVSS9.3AI score0.00108EPSS

CVE•added 2024/03/21 4:15 a.m.•58 views

CVE-2024-29858

In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.

9.8CVSS6.8AI score0.00124EPSS

CVE•added 2020/02/12 12:15 a.m.•56 views

CVE-2020-8890

An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests.

5.9CVSS5.6AI score0.00382EPSS

CVE•added 2024/09/15 8:15 p.m.•56 views

CVE-2024-46918

app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.

9.8CVSS7AI score0.00152EPSS

CVE•added 2024/03/21 4:15 a.m.•54 views

CVE-2024-29859

In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.

9.8CVSS6.8AI score0.00166EPSS

CVE•added 2021/01/19 4:15 p.m.•51 views

CVE-2021-3184

MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button.

6.1CVSS5.8AI score0.0024EPSS

CVE•added 2022/04/20 11:15 p.m.•51 views

CVE-2022-29534

An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.

7.5CVSS7.4AI score0.00241EPSS

CVE•added 2020/03/09 7:15 p.m.•50 views

CVE-2020-10246

MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp.

6.1CVSS5.9AI score0.00328EPSS

CVE•added 2024/02/09 9:15 a.m.•48 views

CVE-2024-25674

An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.

9.8CVSS9.4AI score0.00108EPSS

CVE•added 2021/09/17 6:15 p.m.•47 views

CVE-2021-41326

In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.

9.8CVSS9.4AI score0.00252EPSS

CVE•added 2022/03/18 6:15 p.m.•46 views

CVE-2022-27246

An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.

6.1CVSS6.2AI score0.00228EPSS

CVE•added 2025/03/28 10:15 p.m.•46 views

CVE-2024-58128

In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link.

5.5CVSS6.2AI score0.0006EPSS

CVE•added 2017/08/24 7:29 p.m.•45 views

CVE-2017-13671

app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation.

6.1CVSS5.9AI score0.0033EPSS

CVE•added 2021/01/19 4:15 p.m.•45 views

CVE-2021-25325

MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs.

6.1CVSS5.9AI score0.00371EPSS

CVE•added 2019/06/18 12:15 a.m.•44 views

CVE-2019-12868

app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.

7.2CVSS7.2AI score0.02063EPSS

CVE•added 2021/01/19 4:15 p.m.•43 views

CVE-2021-25324

MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.

6.1CVSS5.8AI score0.00317EPSS

CVE•added 2025/03/28 10:15 p.m.•43 views

CVE-2024-58130

In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses.

7.2CVSS7.2AI score0.00053EPSS

CVE•added 2021/07/26 2:15 p.m.•41 views

CVE-2021-37534

app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster.

5.4CVSS5.1AI score0.0023EPSS

CVE•added 2021/08/19 5:15 p.m.•40 views

CVE-2021-39302

MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.

9.8CVSS9.8AI score0.00264EPSS

CVE•added 2023/02/20 4:15 a.m.•40 views

CVE-2022-48328

app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.

9.8CVSS9.3AI score0.0013EPSS

CVE•added 2023/02/20 4:15 a.m.•39 views

CVE-2022-48329

MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php.

9.8CVSS9.2AI score0.00142EPSS

CVE•added 2023/01/20 10:15 p.m.•39 views

CVE-2023-24027

In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.

6.1CVSS5.9AI score0.00128EPSS

CVE•added 2024/09/01 10:15 p.m.•39 views

CVE-2024-45509

In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin.

9.8CVSS6.9AI score0.00139EPSS

CVE•added 2019/07/27 6:15 p.m.•38 views

CVE-2019-14286

In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability.

6.1CVSS5.8AI score0.0024EPSS

CVE•added 2019/11/28 5:15 p.m.•38 views

CVE-2019-19379

In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data.

5.3CVSS5.3AI score0.00227EPSS

Total number of security vulnerabilities76