VYPR

Misp

by Misp

Source repositories

CVEs (140)

  • CVE-2021-36212Jul 7, 2021
    risk 0.00cvss epss 0.01

    app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view.

  • CVE-2021-35502Jun 25, 2021
    risk 0.00cvss epss 0.01

    app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index.

  • CVE-2021-31780Apr 23, 2021
    risk 0.00cvss epss 0.01

    In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is…

  • CVE-2021-27904Mar 2, 2021
    risk 0.00cvss epss 0.00

    An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors.

  • CVE-2020-24085Jan 20, 2021
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code.

  • CVE-2021-3184Jan 19, 2021
    risk 0.00cvss epss 0.01

    MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button.

  • CVE-2021-25323Jan 19, 2021
    risk 0.00cvss epss 0.01

    The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.

  • CVE-2021-25324Jan 19, 2021
    risk 0.00cvss epss 0.01

    MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.

  • CVE-2021-25325Jan 19, 2021
    risk 0.00cvss epss 0.01

    MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs.

  • CVE-2020-29572Dec 5, 2020
    risk 0.00cvss epss 0.01

    app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field.

  • CVE-2020-29006Nov 24, 2020
    risk 0.00cvss epss 0.01

    MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php.

  • CVE-2020-28947Nov 19, 2020
    risk 0.00cvss epss 0.01

    In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled.

  • CVE-2020-28043Nov 1, 2020
    risk 0.00cvss epss 0.01

    MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL.

  • CVE-2020-25766Sep 18, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login page.

  • CVE-2020-15711Jul 14, 2020
    risk 0.00cvss epss 0.00

    In MISP before 2.4.129, setting a favourite homepage was not CSRF protected.

  • CVE-2020-15412Jun 30, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact form.

  • CVE-2020-15411Jun 30, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader.

  • CVE-2020-14969Jun 22, 2020
    risk 0.00cvss epss 0.01

    app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute.

  • CVE-2020-13153May 18, 2020
    risk 0.00cvss epss 0.01

    app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view.

  • CVE-2020-11458Apr 2, 2020
    risk 0.00cvss epss 0.01

    app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are…

Page 6 of 7