Total
70 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41326 | 1 Misp | 1 Misp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. | |||||
| CVE-2021-3184 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button. | |||||
| CVE-2021-39302 | 1 Misp | 1 Misp | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. | |||||
| CVE-2021-37743 | 1 Misp | 1 Misp | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format. | |||||
| CVE-2021-37742 | 1 Misp | 1 Misp | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships. | |||||
| CVE-2021-37534 | 1 Misp | 1 Misp | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster. | |||||
| CVE-2021-36212 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view. | |||||
| CVE-2021-35502 | 1 Misp | 1 Misp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index. | |||||
| CVE-2021-31780 | 1 Misp | 1 Misp | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is reused. | |||||
| CVE-2021-27904 | 1 Misp | 1 Misp | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors. | |||||
| CVE-2021-25325 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs. | |||||
| CVE-2021-25324 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp. | |||||
| CVE-2021-25323 | 1 Misp | 1 Misp | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password. | |||||
| CVE-2020-8894 | 1 Misp | 1 Misp | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php. | |||||
| CVE-2020-8893 | 1 Misp | 1 Misp | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp. | |||||
| CVE-2020-8892 | 1 Misp | 1 Misp | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests. | |||||
| CVE-2020-8891 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid requests. | |||||
| CVE-2020-8890 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests. | |||||
| CVE-2020-29572 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field. | |||||
| CVE-2020-29006 | 1 Misp | 1 Misp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php. | |||||