Filtered by vendor Misp
Subscribe
Total
70 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-12889 | 1 Misp | 1 Misp-maltego | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
MISP MISP-maltego 1.4.4 incorrectly shares a MISP connection across users in a remote-transform use case. | |||||
CVE-2020-13153 | 1 Misp | 1 Misp | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view. | |||||
CVE-2020-11458 | 1 Misp | 1 Misp | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are passwords from database.php or GPG key passphrases from config.php. | |||||
CVE-2020-15411 | 1 Misp | 1 Misp | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader. | |||||
CVE-2020-15711 | 1 Misp | 1 Misp | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
In MISP before 2.4.129, setting a favourite homepage was not CSRF protected. | |||||
CVE-2020-14969 | 1 Misp | 1 Misp | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute. | |||||
CVE-2020-15412 | 1 Misp | 1 Misp | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact form. | |||||
CVE-2020-8893 | 1 Misp | 1 Misp | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp. | |||||
CVE-2020-10247 | 1 Misp | 1 Misp | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp. | |||||
CVE-2019-19379 | 1 Misp | 1 Misp | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data. | |||||
CVE-2020-8890 | 1 Misp | 1 Misp | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests. | |||||
CVE-2020-8894 | 1 Misp | 1 Misp | 2024-02-28 | 6.4 MEDIUM | 6.5 MEDIUM |
An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php. | |||||
CVE-2020-8892 | 1 Misp | 1 Misp | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests. | |||||
CVE-2020-8891 | 1 Misp | 1 Misp | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid requests. | |||||
CVE-2020-10246 | 1 Misp | 1 Misp | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp. | |||||
CVE-2019-12794 | 1 Misp | 1 Misp | 2024-02-28 | 6.0 MEDIUM | 6.6 MEDIUM |
An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host organization of an instance creates organization admins. An organization admin could set a password manually for the site admin or simply use the API key of the site admin to impersonate them. The potential for abuse only occurs when the host organization creates lower-privilege organization admins instead of the usual site admins. Also, only organization admins of the same organization as the site admin could abuse this. | |||||
CVE-2019-10254 | 1 Misp | 1 Misp | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability. | |||||
CVE-2019-12868 | 1 Misp | 1 Misp | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization. | |||||
CVE-2019-11812 | 1 Misp | 1 Misp | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link. | |||||
CVE-2019-11814 | 1 Misp | 1 Misp | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot. |