Misp
by Misp
Source repositories
CVEs (140)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-36212 | 0.00 | — | 0.01 | Jul 7, 2021 | app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view. | |||
| CVE-2021-35502 | 0.00 | — | 0.01 | Jun 25, 2021 | app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index. | |||
| CVE-2021-31780 | 0.00 | — | 0.01 | Apr 23, 2021 | In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is… | |||
| CVE-2021-27904 | 0.00 | — | 0.00 | Mar 2, 2021 | An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors. | |||
| CVE-2020-24085 | 0.00 | — | 0.01 | Jan 20, 2021 | A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code. | |||
| CVE-2021-3184 | 0.00 | — | 0.01 | Jan 19, 2021 | MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button. | |||
| CVE-2021-25323 | 0.00 | — | 0.01 | Jan 19, 2021 | The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password. | |||
| CVE-2021-25324 | 0.00 | — | 0.01 | Jan 19, 2021 | MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp. | |||
| CVE-2021-25325 | 0.00 | — | 0.01 | Jan 19, 2021 | MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs. | |||
| CVE-2020-29572 | 0.00 | — | 0.01 | Dec 5, 2020 | app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field. | |||
| CVE-2020-29006 | 0.00 | — | 0.01 | Nov 24, 2020 | MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php. | |||
| CVE-2020-28947 | 0.00 | — | 0.01 | Nov 19, 2020 | In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled. | |||
| CVE-2020-28043 | 0.00 | — | 0.01 | Nov 1, 2020 | MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL. | |||
| CVE-2020-25766 | 0.00 | — | 0.01 | Sep 18, 2020 | An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login page. | |||
| CVE-2020-15711 | 0.00 | — | 0.00 | Jul 14, 2020 | In MISP before 2.4.129, setting a favourite homepage was not CSRF protected. | |||
| CVE-2020-15412 | 0.00 | — | 0.01 | Jun 30, 2020 | An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact form. | |||
| CVE-2020-15411 | 0.00 | — | 0.01 | Jun 30, 2020 | An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader. | |||
| CVE-2020-14969 | 0.00 | — | 0.01 | Jun 22, 2020 | app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute. | |||
| CVE-2020-13153 | 0.00 | — | 0.01 | May 18, 2020 | app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view. | |||
| CVE-2020-11458 | 0.00 | — | 0.01 | Apr 2, 2020 | app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are… |
- CVE-2021-36212Jul 7, 2021risk 0.00cvss —epss 0.01
app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view.
- CVE-2021-35502Jun 25, 2021risk 0.00cvss —epss 0.01
app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index.
- CVE-2021-31780Apr 23, 2021risk 0.00cvss —epss 0.01
In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is…
- CVE-2021-27904Mar 2, 2021risk 0.00cvss —epss 0.00
An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors.
- CVE-2020-24085Jan 20, 2021risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code.
- CVE-2021-3184Jan 19, 2021risk 0.00cvss —epss 0.01
MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button.
- CVE-2021-25323Jan 19, 2021risk 0.00cvss —epss 0.01
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.
- CVE-2021-25324Jan 19, 2021risk 0.00cvss —epss 0.01
MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.
- CVE-2021-25325Jan 19, 2021risk 0.00cvss —epss 0.01
MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs.
- CVE-2020-29572Dec 5, 2020risk 0.00cvss —epss 0.01
app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field.
- CVE-2020-29006Nov 24, 2020risk 0.00cvss —epss 0.01
MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php.
- CVE-2020-28947Nov 19, 2020risk 0.00cvss —epss 0.01
In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled.
- CVE-2020-28043Nov 1, 2020risk 0.00cvss —epss 0.01
MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL.
- CVE-2020-25766Sep 18, 2020risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login page.
- CVE-2020-15711Jul 14, 2020risk 0.00cvss —epss 0.00
In MISP before 2.4.129, setting a favourite homepage was not CSRF protected.
- CVE-2020-15412Jun 30, 2020risk 0.00cvss —epss 0.01
An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact form.
- CVE-2020-15411Jun 30, 2020risk 0.00cvss —epss 0.01
An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader.
- CVE-2020-14969Jun 22, 2020risk 0.00cvss —epss 0.01
app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute.
- CVE-2020-13153May 18, 2020risk 0.00cvss —epss 0.01
app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view.
- CVE-2020-11458Apr 2, 2020risk 0.00cvss —epss 0.01
app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are…
Page 6 of 7