Vendor CVEs
Misp
All CVEs
143 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-37743 | 0.00 | — | 0.01 | Jul 30, 2021 | app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format. | |||
| CVE-2021-37742 | 0.00 | — | 0.01 | Jul 30, 2021 | app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships. | |||
| CVE-2021-37534 | 0.00 | — | 0.01 | Jul 26, 2021 | app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster. | |||
| CVE-2021-36212 | 0.00 | — | 0.01 | Jul 7, 2021 | app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view. | |||
| CVE-2021-35502 | 0.00 | — | 0.01 | Jun 25, 2021 | app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index. | |||
| CVE-2021-31780 | 0.00 | — | 0.01 | Apr 23, 2021 | In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is… | |||
| CVE-2021-27904 | 0.00 | — | 0.00 | Mar 2, 2021 | An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors. | |||
| CVE-2020-24085 | 0.00 | — | 0.01 | Jan 20, 2021 | A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code. | |||
| CVE-2021-3184 | 0.00 | — | 0.01 | Jan 19, 2021 | MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button. | |||
| CVE-2021-25323 | 0.00 | — | 0.01 | Jan 19, 2021 | The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password. | |||
| CVE-2021-25324 | 0.00 | — | 0.01 | Jan 19, 2021 | MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp. | |||
| CVE-2021-25325 | 0.00 | — | 0.01 | Jan 19, 2021 | MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs. | |||
| CVE-2020-29572 | 0.00 | — | 0.01 | Dec 5, 2020 | app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field. | |||
| CVE-2020-29006 | 0.00 | — | 0.01 | Nov 24, 2020 | MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php. | |||
| CVE-2020-28947 | 0.00 | — | 0.01 | Nov 19, 2020 | In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled. | |||
| CVE-2020-28043 | 0.00 | — | 0.01 | Nov 1, 2020 | MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL. | |||
| CVE-2020-25766 | 0.00 | — | 0.01 | Sep 18, 2020 | An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login page. | |||
| CVE-2020-15711 | 0.00 | — | 0.00 | Jul 14, 2020 | In MISP before 2.4.129, setting a favourite homepage was not CSRF protected. | |||
| CVE-2020-15412 | 0.00 | — | 0.01 | Jun 30, 2020 | An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact form. | |||
| CVE-2020-15411 | 0.00 | — | 0.01 | Jun 30, 2020 | An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader. | |||
| CVE-2020-14969 | 0.00 | — | 0.01 | Jun 22, 2020 | app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute. | |||
| CVE-2020-13153 | 0.00 | — | 0.01 | May 18, 2020 | app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view. | |||
| CVE-2020-11458 | 0.00 | — | 0.01 | Apr 2, 2020 | app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are… | |||
| CVE-2020-10246 | 0.00 | — | 0.01 | Mar 9, 2020 | MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp. | |||
| CVE-2020-10247 | 0.00 | — | 0.01 | Mar 9, 2020 | MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp. | |||
| CVE-2020-8890 | 0.00 | — | 0.01 | Feb 11, 2020 | An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests. | |||
| CVE-2020-8891 | 0.00 | — | 0.01 | Feb 11, 2020 | An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid requests. | |||
| CVE-2020-8892 | 0.00 | — | 0.02 | Feb 11, 2020 | An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests. | |||
| CVE-2020-8893 | 0.00 | — | 0.02 | Feb 11, 2020 | An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp. | |||
| CVE-2020-8894 | 0.00 | — | 0.01 | Feb 11, 2020 | An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php. | |||
| CVE-2019-19379 | 0.00 | — | 0.01 | Nov 28, 2019 | In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data. | |||
| CVE-2019-16202 | 0.00 | — | 0.01 | Sep 10, 2019 | MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, escalation attempts are blocked by the __checkLoggedActions function with a "This could be an indication of an attempted privilege escalation on older vulnerable versions of MISP… | |||
| CVE-2019-14286 | 0.00 | — | 0.01 | Jul 27, 2019 | In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability. | |||
| CVE-2019-12868 | 0.00 | — | 0.03 | Jun 17, 2019 | app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization. | |||
| CVE-2019-12794 | 0.00 | — | 0.01 | Jun 11, 2019 | An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host… | |||
| CVE-2019-11814 | 0.00 | — | 0.01 | May 8, 2019 | An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot. | |||
| CVE-2019-11813 | 0.00 | — | 0.01 | May 8, 2019 | An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links. | |||
| CVE-2019-11812 | 0.00 | — | 0.01 | May 8, 2019 | A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link. | |||
| CVE-2019-10254 | 0.00 | — | 0.01 | Mar 28, 2019 | In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability. | |||
| CVE-2019-9482 | 0.00 | — | 0.01 | Mar 1, 2019 | In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only). | |||
| CVE-2018-11245 | Med | 0.00 | 6.1 | 0.01 | May 18, 2018 | app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes. | ||
| CVE-2018-8949 | Med | 0.00 | 4.3 | 0.01 | Mar 23, 2018 | An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an… | ||
| CVE-2018-8948 | Med | 0.00 | 6.1 | 0.01 | Mar 23, 2018 | In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module. |
- CVE-2021-37743Jul 30, 2021risk 0.00cvss —epss 0.01
app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.
- CVE-2021-37742Jul 30, 2021risk 0.00cvss —epss 0.01
app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships.
- CVE-2021-37534Jul 26, 2021risk 0.00cvss —epss 0.01
app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster.
- CVE-2021-36212Jul 7, 2021risk 0.00cvss —epss 0.01
app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view.
- CVE-2021-35502Jun 25, 2021risk 0.00cvss —epss 0.01
app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index.
- CVE-2021-31780Apr 23, 2021risk 0.00cvss —epss 0.01
In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is…
- CVE-2021-27904Mar 2, 2021risk 0.00cvss —epss 0.00
An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors.
- CVE-2020-24085Jan 20, 2021risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code.
- CVE-2021-3184Jan 19, 2021risk 0.00cvss —epss 0.01
MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button.
- CVE-2021-25323Jan 19, 2021risk 0.00cvss —epss 0.01
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.
- CVE-2021-25324Jan 19, 2021risk 0.00cvss —epss 0.01
MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.
- CVE-2021-25325Jan 19, 2021risk 0.00cvss —epss 0.01
MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs.
- CVE-2020-29572Dec 5, 2020risk 0.00cvss —epss 0.01
app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field.
- CVE-2020-29006Nov 24, 2020risk 0.00cvss —epss 0.01
MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php.
- CVE-2020-28947Nov 19, 2020risk 0.00cvss —epss 0.01
In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled.
- CVE-2020-28043Nov 1, 2020risk 0.00cvss —epss 0.01
MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL.
- CVE-2020-25766Sep 18, 2020risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login page.
- CVE-2020-15711Jul 14, 2020risk 0.00cvss —epss 0.00
In MISP before 2.4.129, setting a favourite homepage was not CSRF protected.
- CVE-2020-15412Jun 30, 2020risk 0.00cvss —epss 0.01
An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact form.
- CVE-2020-15411Jun 30, 2020risk 0.00cvss —epss 0.01
An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader.
- CVE-2020-14969Jun 22, 2020risk 0.00cvss —epss 0.01
app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute.
- CVE-2020-13153May 18, 2020risk 0.00cvss —epss 0.01
app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view.
- CVE-2020-11458Apr 2, 2020risk 0.00cvss —epss 0.01
app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are…
- CVE-2020-10246Mar 9, 2020risk 0.00cvss —epss 0.01
MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp.
- CVE-2020-10247Mar 9, 2020risk 0.00cvss —epss 0.01
MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp.
- CVE-2020-8890Feb 11, 2020risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests.
- CVE-2020-8891Feb 11, 2020risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid requests.
- CVE-2020-8892Feb 11, 2020risk 0.00cvss —epss 0.02
An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests.
- CVE-2020-8893Feb 11, 2020risk 0.00cvss —epss 0.02
An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp.
- CVE-2020-8894Feb 11, 2020risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php.
- CVE-2019-19379Nov 28, 2019risk 0.00cvss —epss 0.01
In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data.
- CVE-2019-16202Sep 10, 2019risk 0.00cvss —epss 0.01
MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, escalation attempts are blocked by the __checkLoggedActions function with a "This could be an indication of an attempted privilege escalation on older vulnerable versions of MISP…
- CVE-2019-14286Jul 27, 2019risk 0.00cvss —epss 0.01
In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability.
- CVE-2019-12868Jun 17, 2019risk 0.00cvss —epss 0.03
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
- CVE-2019-12794Jun 11, 2019risk 0.00cvss —epss 0.01
An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host…
- CVE-2019-11814May 8, 2019risk 0.00cvss —epss 0.01
An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot.
- CVE-2019-11813May 8, 2019risk 0.00cvss —epss 0.01
An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links.
- CVE-2019-11812May 8, 2019risk 0.00cvss —epss 0.01
A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link.
- CVE-2019-10254Mar 28, 2019risk 0.00cvss —epss 0.01
In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability.
- CVE-2019-9482Mar 1, 2019risk 0.00cvss —epss 0.01
In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only).
- risk 0.00cvss 6.1epss 0.01
app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes.
- risk 0.00cvss 4.3epss 0.01
An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an…
- risk 0.00cvss 6.1epss 0.01
In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module.
Page 3 of 3