Filtered by vendor Misp
Subscriptions
Total
71 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-41098 | 1 Misp | 1 Misp | 2024-10-03 | 6.1 Medium |
An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit. | ||||
CVE-2024-46918 | 1 Misp | 1 Misp | 2024-09-20 | 9.8 Critical |
app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org. | ||||
CVE-2018-6926 | 1 Misp | 1 Misp | 2024-09-16 | N/A |
In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by the setting being only accessible to the site administrator. | ||||
CVE-2018-11562 | 1 Misp | 1 Misp | 2024-09-16 | N/A |
An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter. | ||||
CVE-2024-45509 | 1 Misp | 1 Misp | 2024-09-04 | 9.8 Critical |
In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin. | ||||
CVE-2024-25674 | 1 Misp | 1 Misp | 2024-08-26 | 9.8 Critical |
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type. | ||||
CVE-2017-16946 | 1 Misp | 1 Misp | 2024-08-05 | N/A |
The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log. | ||||
CVE-2017-13671 | 1 Misp | 1 Misp | 2024-08-05 | N/A |
app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation. | ||||
CVE-2018-19908 | 1 Misp | 1 Misp | 2024-08-05 | N/A |
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import. | ||||
CVE-2018-12649 | 1 Misp | 1 Misp | 2024-08-05 | N/A |
An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests. | ||||
CVE-2019-19379 | 1 Misp | 1 Misp | 2024-08-05 | 5.3 Medium |
In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data. | ||||
CVE-2019-16202 | 1 Misp | 1 Misp | 2024-08-05 | 6.5 Medium |
MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, escalation attempts are blocked by the __checkLoggedActions function with a "This could be an indication of an attempted privilege escalation on older vulnerable versions of MISP (<2.4.115)" message. | ||||
CVE-2019-14286 | 1 Misp | 1 Misp | 2024-08-05 | N/A |
In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability. | ||||
CVE-2019-12868 | 1 Misp | 1 Misp | 2024-08-04 | N/A |
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization. | ||||
CVE-2019-12794 | 1 Misp | 1 Misp | 2024-08-04 | N/A |
An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host organization of an instance creates organization admins. An organization admin could set a password manually for the site admin or simply use the API key of the site admin to impersonate them. The potential for abuse only occurs when the host organization creates lower-privilege organization admins instead of the usual site admins. Also, only organization admins of the same organization as the site admin could abuse this. | ||||
CVE-2019-11812 | 1 Misp | 1 Misp | 2024-08-04 | N/A |
A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link. | ||||
CVE-2019-11813 | 1 Misp | 1 Misp | 2024-08-04 | N/A |
An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links. | ||||
CVE-2019-11814 | 1 Misp | 1 Misp | 2024-08-04 | N/A |
An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot. | ||||
CVE-2019-10254 | 1 Misp | 1 Misp | 2024-08-04 | N/A |
In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability. | ||||
CVE-2019-9482 | 1 Misp | 1 Misp | 2024-08-04 | N/A |
In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only). |