Filtered by vendor Misp
Subscribe
Total
77 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-36212 | 1 Misp | 1 Misp | 2021-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view. | |||||
| CVE-2021-35502 | 1 Misp | 1 Misp | 2021-07-01 | 7.5 HIGH | 9.8 CRITICAL |
| app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index. | |||||
| CVE-2021-31780 | 1 Misp | 1 Misp | 2021-05-05 | 5.0 MEDIUM | 7.5 HIGH |
| In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is reused. | |||||
| CVE-2021-27904 | 1 Misp | 1 Misp | 2021-03-08 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors. | |||||
| CVE-2020-24085 | 1 Misp | 1 Misp | 2021-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code. | |||||
| CVE-2021-25323 | 1 Misp | 1 Misp | 2021-01-22 | 6.4 MEDIUM | 9.1 CRITICAL |
| The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password. | |||||
| CVE-2021-25324 | 1 Misp | 1 Misp | 2021-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp. | |||||
| CVE-2021-25325 | 1 Misp | 1 Misp | 2021-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs. | |||||
| CVE-2021-3184 | 1 Misp | 1 Misp | 2021-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button. | |||||
| CVE-2020-29572 | 1 Misp | 1 Misp | 2020-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field. | |||||
| CVE-2020-29006 | 1 Misp | 1 Misp | 2020-12-03 | 7.5 HIGH | 9.8 CRITICAL |
| MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php. | |||||
| CVE-2020-28947 | 1 Misp | 1 Misp | 2020-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled. | |||||
| CVE-2020-28043 | 1 Misp | 1 Misp | 2020-11-17 | 5.0 MEDIUM | 7.5 HIGH |
| MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL. | |||||
| CVE-2020-25766 | 1 Misp | 1 Misp | 2020-09-27 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login page. | |||||
| CVE-2019-19379 | 1 Misp | 1 Misp | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data. | |||||
| CVE-2019-12794 | 1 Misp | 1 Misp | 2020-08-24 | 6.0 MEDIUM | 6.6 MEDIUM |
| An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host organization of an instance creates organization admins. An organization admin could set a password manually for the site admin or simply use the API key of the site admin to impersonate them. The potential for abuse only occurs when the host organization creates lower-privilege organization admins instead of the usual site admins. Also, only organization admins of the same organization as the site admin could abuse this. | |||||
| CVE-2020-15711 | 1 Misp | 1 Misp | 2020-07-15 | 6.8 MEDIUM | 8.8 HIGH |
| In MISP before 2.4.129, setting a favourite homepage was not CSRF protected. | |||||
| CVE-2020-13153 | 1 Misp | 1 Misp | 2020-05-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view. | |||||
| CVE-2020-12889 | 1 Misp | 1 Misp-maltego | 2020-05-19 | 7.5 HIGH | 9.8 CRITICAL |
| MISP MISP-maltego 1.4.4 incorrectly shares a MISP connection across users in a remote-transform use case. | |||||
| CVE-2020-8894 | 1 Misp | 1 Misp | 2020-02-14 | 6.4 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php. | |||||