Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Misp Subscribe
Total 63 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-19379 1 Misp 1 Misp 2020-08-24 5.0 MEDIUM 5.3 MEDIUM
In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data.
CVE-2019-12794 1 Misp 1 Misp 2020-08-24 6.0 MEDIUM 6.6 MEDIUM
An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host organization of an instance creates organization admins. An organization admin could set a password manually for the site admin or simply use the API key of the site admin to impersonate them. The potential for abuse only occurs when the host organization creates lower-privilege organization admins instead of the usual site admins. Also, only organization admins of the same organization as the site admin could abuse this.
CVE-2020-15711 1 Misp 1 Misp 2020-07-15 6.8 MEDIUM 8.8 HIGH
In MISP before 2.4.129, setting a favourite homepage was not CSRF protected.
CVE-2020-13153 1 Misp 1 Misp 2020-05-19 4.3 MEDIUM 6.1 MEDIUM
app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view.
CVE-2020-12889 1 Misp 1 Misp-maltego 2020-05-19 7.5 HIGH 9.8 CRITICAL
MISP MISP-maltego 1.4.4 incorrectly shares a MISP connection across users in a remote-transform use case.
CVE-2020-8894 1 Misp 1 Misp 2020-02-14 6.4 MEDIUM 6.5 MEDIUM
An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php.
CVE-2020-8890 1 Misp 1 Misp 2020-02-14 4.3 MEDIUM 5.9 MEDIUM
An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests.
CVE-2020-8892 1 Misp 1 Misp 2020-02-14 6.8 MEDIUM 8.1 HIGH
An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests.
CVE-2020-8893 1 Misp 1 Misp 2020-02-14 5.0 MEDIUM 7.5 HIGH
An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp.
CVE-2020-8891 1 Misp 1 Misp 2020-02-14 4.3 MEDIUM 5.9 MEDIUM
An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid requests.
CVE-2018-12649 1 Misp 1 Misp 2019-10-02 5.0 MEDIUM 9.8 CRITICAL
An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests.
CVE-2018-19908 1 Misp 1 Misp 2019-10-02 9.0 HIGH 8.8 HIGH
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.
CVE-2019-16202 1 Misp 1 Misp 2019-09-11 4.0 MEDIUM 6.5 MEDIUM
MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, escalation attempts are blocked by the __checkLoggedActions function with a "This could be an indication of an attempted privilege escalation on older vulnerable versions of MISP (<2.4.115)" message.
CVE-2019-14286 1 Misp 1 Misp 2019-07-31 4.3 MEDIUM 6.1 MEDIUM
In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability.
CVE-2019-12868 1 Misp 1 Misp 2019-06-18 6.5 MEDIUM 7.2 HIGH
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
CVE-2019-11814 1 Misp 1 Misp 2019-05-08 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot.
CVE-2019-11813 1 Misp 1 Misp 2019-05-08 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links.
CVE-2019-11812 1 Misp 1 Misp 2019-05-08 4.3 MEDIUM 6.1 MEDIUM
A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link.
CVE-2019-10254 1 Misp 1 Misp 2019-03-28 4.3 MEDIUM 6.1 MEDIUM
In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability.
CVE-2018-11562 1 Misp 1 Misp 2018-06-29 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter.