Misp
by Misp
Source repositories
CVEs (140)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-25674 | 0.00 | — | 0.01 | Feb 9, 2024 | An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type. | |||
| CVE-2024-25675 | 0.00 | — | 0.01 | Feb 9, 2024 | An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp. | |||
| CVE-2023-50918 | 0.00 | — | 0.01 | Dec 15, 2023 | app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs. | |||
| CVE-2023-49926 | 0.00 | — | 0.00 | Dec 3, 2023 | app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget. | |||
| CVE-2023-48659 | 0.00 | — | 0.01 | Nov 17, 2023 | An issue was discovered in MISP before 2.4.176. app/Controller/AppController.php mishandles parameter parsing. | |||
| CVE-2023-48657 | 0.00 | — | 0.01 | Nov 17, 2023 | An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles filters. | |||
| CVE-2023-48658 | 0.00 | — | 0.01 | Nov 17, 2023 | An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php lacks a checkParam function for alphanumerics, underscore, dash, period, and space. | |||
| CVE-2023-48656 | 0.00 | — | 0.01 | Nov 17, 2023 | An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles order clauses. | |||
| CVE-2023-48655 | 0.00 | — | 0.01 | Nov 17, 2023 | An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query parameters. | |||
| CVE-2023-41098 | 0.00 | — | 0.00 | Aug 23, 2023 | An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit. | |||
| CVE-2023-40224 | 0.00 | — | 0.00 | Aug 10, 2023 | MISP 2.4.174 allows XSS in app/View/Events/index.ctp. | |||
| CVE-2023-37307 | 0.00 | — | 0.00 | Jun 30, 2023 | In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclusions, and Layouts. | |||
| CVE-2023-37306 | 0.00 | — | 0.00 | Jun 30, 2023 | MISP 2.4.172 mishandles different certificate file extensions in server sync. An attacker can obtain sensitive information because of the nature of the error messages. | |||
| CVE-2023-28884 | 0.00 | — | 0.00 | Mar 27, 2023 | In MISP 2.4.169, app/Lib/Tools/CustomPaginationTool.php allows XSS in the community index. | |||
| CVE-2023-28607 | 0.00 | — | 0.00 | Mar 18, 2023 | js/event-graph.js in MISP before 2.4.169 allows XSS via the event-graph relationship tooltip. | |||
| CVE-2023-28606 | 0.00 | — | 0.00 | Mar 18, 2023 | js/event-graph.js in MISP before 2.4.169 allows XSS via event-graph node tooltips. | |||
| CVE-2022-48329 | 0.00 | — | 0.01 | Feb 20, 2023 | MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php. | |||
| CVE-2022-48328 | 0.00 | — | 0.01 | Feb 20, 2023 | app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters. | |||
| CVE-2023-24070 | 0.00 | — | 0.00 | Jan 23, 2023 | app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field. | |||
| CVE-2023-24026 | 0.00 | — | 0.00 | Jan 20, 2023 | In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload. |
- CVE-2024-25674Feb 9, 2024risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.
- CVE-2024-25675Feb 9, 2024risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp.
- CVE-2023-50918Dec 15, 2023risk 0.00cvss —epss 0.01
app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.
- CVE-2023-49926Dec 3, 2023risk 0.00cvss —epss 0.00
app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget.
- CVE-2023-48659Nov 17, 2023risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.176. app/Controller/AppController.php mishandles parameter parsing.
- CVE-2023-48657Nov 17, 2023risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles filters.
- CVE-2023-48658Nov 17, 2023risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php lacks a checkParam function for alphanumerics, underscore, dash, period, and space.
- CVE-2023-48656Nov 17, 2023risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles order clauses.
- CVE-2023-48655Nov 17, 2023risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query parameters.
- CVE-2023-41098Aug 23, 2023risk 0.00cvss —epss 0.00
An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit.
- CVE-2023-40224Aug 10, 2023risk 0.00cvss —epss 0.00
MISP 2.4.174 allows XSS in app/View/Events/index.ctp.
- CVE-2023-37307Jun 30, 2023risk 0.00cvss —epss 0.00
In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclusions, and Layouts.
- CVE-2023-37306Jun 30, 2023risk 0.00cvss —epss 0.00
MISP 2.4.172 mishandles different certificate file extensions in server sync. An attacker can obtain sensitive information because of the nature of the error messages.
- CVE-2023-28884Mar 27, 2023risk 0.00cvss —epss 0.00
In MISP 2.4.169, app/Lib/Tools/CustomPaginationTool.php allows XSS in the community index.
- CVE-2023-28607Mar 18, 2023risk 0.00cvss —epss 0.00
js/event-graph.js in MISP before 2.4.169 allows XSS via the event-graph relationship tooltip.
- CVE-2023-28606Mar 18, 2023risk 0.00cvss —epss 0.00
js/event-graph.js in MISP before 2.4.169 allows XSS via event-graph node tooltips.
- CVE-2022-48329Feb 20, 2023risk 0.00cvss —epss 0.01
MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php.
- CVE-2022-48328Feb 20, 2023risk 0.00cvss —epss 0.01
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.
- CVE-2023-24070Jan 23, 2023risk 0.00cvss —epss 0.00
app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field.
- CVE-2023-24026Jan 20, 2023risk 0.00cvss —epss 0.00
In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.
Page 4 of 7