Total
62 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-37743 | 1 Misp | 1 Misp | 2021-08-02 | 3.5 LOW | 5.4 MEDIUM |
| app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format. | |||||
| CVE-2020-15412 | 1 Misp | 1 Misp | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact form. | |||||
| CVE-2020-14969 | 1 Misp | 1 Misp | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute. | |||||
| CVE-2020-15411 | 1 Misp | 1 Misp | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader. | |||||
| CVE-2020-11458 | 1 Misp | 1 Misp | 2021-07-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are passwords from database.php or GPG key passphrases from config.php. | |||||
| CVE-2019-9482 | 1 Misp | 1 Misp | 2021-07-21 | 3.5 LOW | 5.3 MEDIUM |
| In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only). | |||||
| CVE-2021-36212 | 1 Misp | 1 Misp | 2021-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view. | |||||
| CVE-2021-35502 | 1 Misp | 1 Misp | 2021-07-01 | 7.5 HIGH | 9.8 CRITICAL |
| app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index. | |||||
| CVE-2021-31780 | 1 Misp | 1 Misp | 2021-05-05 | 5.0 MEDIUM | 7.5 HIGH |
| In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is reused. | |||||
| CVE-2021-27904 | 1 Misp | 1 Misp | 2021-03-08 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors. | |||||
| CVE-2020-24085 | 1 Misp | 1 Misp | 2021-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code. | |||||
| CVE-2021-25323 | 1 Misp | 1 Misp | 2021-01-22 | 6.4 MEDIUM | 9.1 CRITICAL |
| The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password. | |||||
| CVE-2021-25324 | 1 Misp | 1 Misp | 2021-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp. | |||||
| CVE-2021-3184 | 1 Misp | 1 Misp | 2021-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button. | |||||
| CVE-2021-25325 | 1 Misp | 1 Misp | 2021-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs. | |||||
| CVE-2020-29572 | 1 Misp | 1 Misp | 2020-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field. | |||||
| CVE-2020-29006 | 1 Misp | 1 Misp | 2020-12-03 | 7.5 HIGH | 9.8 CRITICAL |
| MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php. | |||||
| CVE-2020-28947 | 1 Misp | 1 Misp | 2020-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled. | |||||
| CVE-2020-28043 | 1 Misp | 1 Misp | 2020-11-17 | 5.0 MEDIUM | 7.5 HIGH |
| MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL. | |||||
| CVE-2020-25766 | 1 Misp | 1 Misp | 2020-09-27 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login page. | |||||