Total
62 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-10247 | 1 Misp | 1 Misp | 2023-03-01 | 4.3 MEDIUM | 6.1 MEDIUM |
MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp. | |||||
CVE-2020-10246 | 1 Misp | 1 Misp | 2023-03-01 | 4.3 MEDIUM | 6.1 MEDIUM |
MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp. | |||||
CVE-2022-48328 | 1 Misp | 1 Misp | 2023-02-28 | N/A | 9.8 CRITICAL |
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters. | |||||
CVE-2022-48329 | 1 Misp | 1 Misp | 2023-02-28 | N/A | 9.8 CRITICAL |
MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php. | |||||
CVE-2023-24027 | 1 Misp | 1 Misp | 2023-01-27 | N/A | 6.1 MEDIUM |
In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name. | |||||
CVE-2022-29528 | 1 Misp | 1 Misp | 2022-04-26 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur. | |||||
CVE-2022-29530 | 1 Misp | 1 Misp | 2022-04-26 | 3.5 LOW | 5.4 MEDIUM |
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters. | |||||
CVE-2022-29531 | 1 Misp | 1 Misp | 2022-04-26 | 3.5 LOW | 5.4 MEDIUM |
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name. | |||||
CVE-2022-29529 | 1 Misp | 1 Misp | 2022-04-26 | 3.5 LOW | 5.4 MEDIUM |
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field. | |||||
CVE-2022-29532 | 1 Misp | 1 Misp | 2022-04-26 | 3.5 LOW | 4.8 MEDIUM |
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it. | |||||
CVE-2022-29533 | 1 Misp | 1 Misp | 2022-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page." | |||||
CVE-2022-29534 | 1 Misp | 1 Misp | 2022-04-26 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header. | |||||
CVE-2022-27243 | 1 Misp | 1 Misp | 2022-03-25 | 6.8 MEDIUM | 7.8 HIGH |
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting. | |||||
CVE-2022-27244 | 1 Misp | 1 Misp | 2022-03-25 | 3.5 LOW | 4.8 MEDIUM |
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user. | |||||
CVE-2022-27245 | 1 Misp | 1 Misp | 2022-03-25 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF. | |||||
CVE-2022-27246 | 1 Misp | 1 Misp | 2022-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default. | |||||
CVE-2021-41326 | 1 Misp | 1 Misp | 2021-09-28 | 7.5 HIGH | 9.8 CRITICAL |
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. | |||||
CVE-2021-39302 | 1 Misp | 1 Misp | 2021-08-23 | 6.8 MEDIUM | 9.8 CRITICAL |
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. | |||||
CVE-2021-37534 | 1 Misp | 1 Misp | 2021-08-03 | 3.5 LOW | 5.4 MEDIUM |
app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster. | |||||
CVE-2021-37742 | 1 Misp | 1 Misp | 2021-08-02 | 3.5 LOW | 5.4 MEDIUM |
app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships. |