Misp
by Misp
Source repositories
CVEs (140)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-24028 | 0.00 | — | 0.01 | Jan 20, 2023 | In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function. | |||
| CVE-2023-24027 | 0.00 | — | 0.00 | Jan 20, 2023 | In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name. | |||
| CVE-2022-47928 | 0.00 | — | 0.00 | Dec 22, 2022 | In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp. | |||
| CVE-2022-42724 | 0.00 | — | 0.00 | Oct 10, 2022 | app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have). | |||
| CVE-2022-29529 | 0.00 | — | 0.01 | Apr 20, 2022 | An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field. | |||
| CVE-2022-29530 | 0.00 | — | 0.01 | Apr 20, 2022 | An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters. | |||
| CVE-2022-29528 | 0.00 | — | 0.02 | Apr 20, 2022 | An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur. | |||
| CVE-2022-29534 | 0.00 | — | 0.02 | Apr 20, 2022 | An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header. | |||
| CVE-2022-29532 | 0.00 | — | 0.01 | Apr 20, 2022 | An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it. | |||
| CVE-2022-29531 | 0.00 | — | 0.01 | Apr 20, 2022 | An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name. | |||
| CVE-2022-29533 | 0.00 | — | 0.01 | Apr 20, 2022 | An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page." | |||
| CVE-2022-27243 | 0.00 | — | 0.01 | Mar 18, 2022 | An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting. | |||
| CVE-2022-27244 | 0.00 | — | 0.00 | Mar 18, 2022 | An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user. | |||
| CVE-2022-27245 | 0.00 | — | 0.01 | Mar 18, 2022 | An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF. | |||
| CVE-2022-27246 | 0.00 | — | 0.01 | Mar 18, 2022 | An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default. | |||
| CVE-2021-41326 | 0.00 | — | 0.02 | Sep 17, 2021 | In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. | |||
| CVE-2021-39302 | 0.00 | — | 0.01 | Aug 19, 2021 | MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. | |||
| CVE-2021-37743 | 0.00 | — | 0.01 | Jul 30, 2021 | app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format. | |||
| CVE-2021-37742 | 0.00 | — | 0.01 | Jul 30, 2021 | app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships. | |||
| CVE-2021-37534 | 0.00 | — | 0.01 | Jul 26, 2021 | app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster. |
- CVE-2023-24028Jan 20, 2023risk 0.00cvss —epss 0.01
In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.
- CVE-2023-24027Jan 20, 2023risk 0.00cvss —epss 0.00
In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.
- CVE-2022-47928Dec 22, 2022risk 0.00cvss —epss 0.00
In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp.
- CVE-2022-42724Oct 10, 2022risk 0.00cvss —epss 0.00
app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have).
- CVE-2022-29529Apr 20, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.
- CVE-2022-29530Apr 20, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.
- CVE-2022-29528Apr 20, 2022risk 0.00cvss —epss 0.02
An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.
- CVE-2022-29534Apr 20, 2022risk 0.00cvss —epss 0.02
An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.
- CVE-2022-29532Apr 20, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.
- CVE-2022-29531Apr 20, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.
- CVE-2022-29533Apr 20, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page."
- CVE-2022-27243Mar 18, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting.
- CVE-2022-27244Mar 18, 2022risk 0.00cvss —epss 0.00
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.
- CVE-2022-27245Mar 18, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF.
- CVE-2022-27246Mar 18, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.
- CVE-2021-41326Sep 17, 2021risk 0.00cvss —epss 0.02
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.
- CVE-2021-39302Aug 19, 2021risk 0.00cvss —epss 0.01
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.
- CVE-2021-37743Jul 30, 2021risk 0.00cvss —epss 0.01
app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.
- CVE-2021-37742Jul 30, 2021risk 0.00cvss —epss 0.01
app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships.
- CVE-2021-37534Jul 26, 2021risk 0.00cvss —epss 0.01
app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster.
Page 5 of 7