Misp
by Misp
Source repositories
CVEs (140)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-10246 | 0.00 | — | 0.01 | Mar 9, 2020 | MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp. | |||
| CVE-2020-10247 | 0.00 | — | 0.01 | Mar 9, 2020 | MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp. | |||
| CVE-2020-8890 | 0.00 | — | 0.01 | Feb 11, 2020 | An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests. | |||
| CVE-2020-8891 | 0.00 | — | 0.01 | Feb 11, 2020 | An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid requests. | |||
| CVE-2020-8892 | 0.00 | — | 0.02 | Feb 11, 2020 | An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests. | |||
| CVE-2020-8894 | 0.00 | — | 0.01 | Feb 11, 2020 | An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php. | |||
| CVE-2020-8893 | 0.00 | — | 0.02 | Feb 11, 2020 | An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp. | |||
| CVE-2019-19379 | 0.00 | — | 0.01 | Nov 28, 2019 | In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data. | |||
| CVE-2019-16202 | 0.00 | — | 0.01 | Sep 10, 2019 | MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, escalation attempts are blocked by the __checkLoggedActions function with a "This could be an indication of an attempted privilege escalation on older vulnerable versions of MISP… | |||
| CVE-2019-14286 | 0.00 | — | 0.01 | Jul 27, 2019 | In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability. | |||
| CVE-2019-12868 | 0.00 | — | 0.03 | Jun 17, 2019 | app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization. | |||
| CVE-2019-12794 | 0.00 | — | 0.01 | Jun 11, 2019 | An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host… | |||
| CVE-2019-11814 | 0.00 | — | 0.01 | May 8, 2019 | An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot. | |||
| CVE-2019-11813 | 0.00 | — | 0.01 | May 8, 2019 | An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links. | |||
| CVE-2019-11812 | 0.00 | — | 0.01 | May 8, 2019 | A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link. | |||
| CVE-2019-10254 | 0.00 | — | 0.01 | Mar 28, 2019 | In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability. | |||
| CVE-2019-9482 | 0.00 | — | 0.01 | Mar 1, 2019 | In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only). | |||
| CVE-2018-11245 | Med | 0.00 | 6.1 | 0.01 | May 18, 2018 | app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes. | ||
| CVE-2018-8949 | Med | 0.00 | 4.3 | 0.01 | Mar 23, 2018 | An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an… | ||
| CVE-2018-8948 | Med | 0.00 | 6.1 | 0.01 | Mar 23, 2018 | In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module. |
- CVE-2020-10246Mar 9, 2020risk 0.00cvss —epss 0.01
MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp.
- CVE-2020-10247Mar 9, 2020risk 0.00cvss —epss 0.01
MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp.
- CVE-2020-8890Feb 11, 2020risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests.
- CVE-2020-8891Feb 11, 2020risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid requests.
- CVE-2020-8892Feb 11, 2020risk 0.00cvss —epss 0.02
An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests.
- CVE-2020-8894Feb 11, 2020risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php.
- CVE-2020-8893Feb 11, 2020risk 0.00cvss —epss 0.02
An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp.
- CVE-2019-19379Nov 28, 2019risk 0.00cvss —epss 0.01
In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data.
- CVE-2019-16202Sep 10, 2019risk 0.00cvss —epss 0.01
MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, escalation attempts are blocked by the __checkLoggedActions function with a "This could be an indication of an attempted privilege escalation on older vulnerable versions of MISP…
- CVE-2019-14286Jul 27, 2019risk 0.00cvss —epss 0.01
In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability.
- CVE-2019-12868Jun 17, 2019risk 0.00cvss —epss 0.03
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
- CVE-2019-12794Jun 11, 2019risk 0.00cvss —epss 0.01
An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host…
- CVE-2019-11814May 8, 2019risk 0.00cvss —epss 0.01
An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot.
- CVE-2019-11813May 8, 2019risk 0.00cvss —epss 0.01
An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links.
- CVE-2019-11812May 8, 2019risk 0.00cvss —epss 0.01
A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link.
- CVE-2019-10254Mar 28, 2019risk 0.00cvss —epss 0.01
In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability.
- CVE-2019-9482Mar 1, 2019risk 0.00cvss —epss 0.01
In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only).
- risk 0.00cvss 6.1epss 0.01
app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes.
- risk 0.00cvss 4.3epss 0.01
An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an…
- risk 0.00cvss 6.1epss 0.01
In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module.
Page 7 of 7