Filtered by vendor Misp
Subscribe
Total
77 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-49926 | 1 Misp | 1 Misp | 2023-12-06 | N/A | 6.1 MEDIUM |
| app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget. | |||||
| CVE-2023-40224 | 1 Misp | 1 Misp | 2023-11-17 | N/A | 6.1 MEDIUM |
| MISP 2.4.174 allows XSS in app/View/Events/index.ctp. | |||||
| CVE-2022-29529 | 1 Misp | 1 Misp | 2023-11-03 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field. | |||||
| CVE-2023-41098 | 1 Misp | 1 Misp | 2023-08-28 | N/A | 6.1 MEDIUM |
| An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit. | |||||
| CVE-2020-10247 | 1 Misp | 1 Misp | 2023-03-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp. | |||||
| CVE-2020-10246 | 1 Misp | 1 Misp | 2023-03-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp. | |||||
| CVE-2022-27243 | 1 Misp | 1 Misp | 2022-03-25 | 6.8 MEDIUM | 7.8 HIGH |
| An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting. | |||||
| CVE-2022-27244 | 1 Misp | 1 Misp | 2022-03-25 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user. | |||||
| CVE-2022-27245 | 1 Misp | 1 Misp | 2022-03-25 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF. | |||||
| CVE-2022-27246 | 1 Misp | 1 Misp | 2022-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default. | |||||
| CVE-2021-41326 | 1 Misp | 1 Misp | 2021-09-28 | 7.5 HIGH | 9.8 CRITICAL |
| In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. | |||||
| CVE-2021-39302 | 1 Misp | 1 Misp | 2021-08-23 | 6.8 MEDIUM | 9.8 CRITICAL |
| MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. | |||||
| CVE-2021-37534 | 1 Misp | 1 Misp | 2021-08-03 | 3.5 LOW | 5.4 MEDIUM |
| app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster. | |||||
| CVE-2021-37742 | 1 Misp | 1 Misp | 2021-08-02 | 3.5 LOW | 5.4 MEDIUM |
| app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships. | |||||
| CVE-2021-37743 | 1 Misp | 1 Misp | 2021-08-02 | 3.5 LOW | 5.4 MEDIUM |
| app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format. | |||||
| CVE-2020-11458 | 1 Misp | 1 Misp | 2021-07-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are passwords from database.php or GPG key passphrases from config.php. | |||||
| CVE-2020-14969 | 1 Misp | 1 Misp | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute. | |||||
| CVE-2019-9482 | 1 Misp | 1 Misp | 2021-07-21 | 3.5 LOW | 5.3 MEDIUM |
| In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only). | |||||
| CVE-2020-15412 | 1 Misp | 1 Misp | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact form. | |||||
| CVE-2020-15411 | 1 Misp | 1 Misp | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader. | |||||