Vulnerabilities (CVE)

Filtered by vendor Misp Subscribe
Filtered by product Misp
Total 70 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-24027 1 Misp 1 Misp 2024-11-21 N/A 6.1 MEDIUM
In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.
CVE-2022-48329 1 Misp 1 Misp 2024-11-21 N/A 9.8 CRITICAL
MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php.
CVE-2022-48328 1 Misp 1 Misp 2024-11-21 N/A 9.8 CRITICAL
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.
CVE-2022-29534 1 Misp 1 Misp 2024-11-21 5.0 MEDIUM 7.5 HIGH
An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.
CVE-2022-29533 1 Misp 1 Misp 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page."
CVE-2022-29532 1 Misp 1 Misp 2024-11-21 3.5 LOW 4.8 MEDIUM
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.
CVE-2022-29531 1 Misp 1 Misp 2024-11-21 3.5 LOW 5.4 MEDIUM
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.
CVE-2022-29530 1 Misp 1 Misp 2024-11-21 3.5 LOW 5.4 MEDIUM
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.
CVE-2022-29529 1 Misp 1 Misp 2024-11-21 3.5 LOW 5.4 MEDIUM
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.
CVE-2022-29528 1 Misp 1 Misp 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.
CVE-2022-27246 1 Misp 1 Misp 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.
CVE-2022-27245 1 Misp 1 Misp 2024-11-21 6.8 MEDIUM 8.8 HIGH
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF.
CVE-2022-27244 1 Misp 1 Misp 2024-11-21 3.5 LOW 4.8 MEDIUM
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.
CVE-2022-27243 1 Misp 1 Misp 2024-11-21 6.8 MEDIUM 7.8 HIGH
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting.
CVE-2021-41326 1 Misp 1 Misp 2024-11-21 7.5 HIGH 9.8 CRITICAL
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.
CVE-2021-3184 1 Misp 1 Misp 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button.
CVE-2021-39302 1 Misp 1 Misp 2024-11-21 6.8 MEDIUM 9.8 CRITICAL
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.
CVE-2021-37743 1 Misp 1 Misp 2024-11-21 3.5 LOW 5.4 MEDIUM
app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.
CVE-2021-37742 1 Misp 1 Misp 2024-11-21 3.5 LOW 5.4 MEDIUM
app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships.
CVE-2021-37534 1 Misp 1 Misp 2024-11-21 3.5 LOW 5.4 MEDIUM
app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster.