VYPR

Misp

by Misp

Source repositories

CVEs (140)

  • CVE-2023-24028Jan 20, 2023
    risk 0.00cvss epss 0.01

    In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.

  • CVE-2023-24027Jan 20, 2023
    risk 0.00cvss epss 0.00

    In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.

  • CVE-2022-47928Dec 22, 2022
    risk 0.00cvss epss 0.00

    In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp.

  • CVE-2022-42724Oct 10, 2022
    risk 0.00cvss epss 0.00

    app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have).

  • CVE-2022-29529Apr 20, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.

  • CVE-2022-29530Apr 20, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.

  • CVE-2022-29528Apr 20, 2022
    risk 0.00cvss epss 0.02

    An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.

  • CVE-2022-29534Apr 20, 2022
    risk 0.00cvss epss 0.02

    An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.

  • CVE-2022-29532Apr 20, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.

  • CVE-2022-29531Apr 20, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.

  • CVE-2022-29533Apr 20, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page."

  • CVE-2022-27243Mar 18, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting.

  • CVE-2022-27244Mar 18, 2022
    risk 0.00cvss epss 0.00

    An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.

  • CVE-2022-27245Mar 18, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF.

  • CVE-2022-27246Mar 18, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.

  • CVE-2021-41326Sep 17, 2021
    risk 0.00cvss epss 0.02

    In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.

  • CVE-2021-39302Aug 19, 2021
    risk 0.00cvss epss 0.01

    MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.

  • CVE-2021-37743Jul 30, 2021
    risk 0.00cvss epss 0.01

    app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.

  • CVE-2021-37742Jul 30, 2021
    risk 0.00cvss epss 0.01

    app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships.

  • CVE-2021-37534Jul 26, 2021
    risk 0.00cvss epss 0.01

    app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster.

Page 5 of 7