Vulnerabilities (CVE)

Filtered by vendor Misp-project Subscribe
Filtered by product Misp
Total 8 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-24028 1 Misp-project 1 Misp 2024-11-21 N/A 9.8 CRITICAL
In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.
CVE-2023-24026 1 Misp-project 1 Misp 2024-11-21 N/A 6.1 MEDIUM
In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.
CVE-2018-8949 1 Misp-project 1 Misp 2024-11-21 5.5 MEDIUM 4.3 MEDIUM
An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an existing attribute.
CVE-2018-8948 1 Misp-project 1 Misp 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module.
CVE-2018-11245 1 Misp-project 1 Misp 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes.
CVE-2017-16802 1 Misp-project 1 Misp 2024-11-21 3.5 LOW 5.4 MEDIUM
In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added.
CVE-2017-15216 1 Misp-project 1 Misp 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
MISP before 2.4.81 has a potential reflected XSS in a quickDelete action that is used to delete a sighting, related to app/View/Sightings/ajax/quickDeleteConfirmationForm.ctp and app/webroot/js/misp.js.
CVE-2017-14337 1 Misp-project 1 Misp 2024-11-21 6.8 MEDIUM 8.1 HIGH
When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user management ReST API, if an external user provides X.509 certificate authentication and this API returns an empty value, the unauthenticated user can be granted access as an arbitrary user.