Filtered by vendor Misp
Subscriptions
Filtered by product Misp
Subscriptions
Total
70 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-29006 | 1 Misp | 1 Misp | 2024-08-04 | 9.8 Critical |
| MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php. | ||||
| CVE-2020-28947 | 1 Misp | 1 Misp | 2024-08-04 | 6.1 Medium |
| In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled. | ||||
| CVE-2020-28043 | 1 Misp | 1 Misp | 2024-08-04 | 7.5 High |
| MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL. | ||||
| CVE-2020-25766 | 1 Misp | 1 Misp | 2024-08-04 | 7.5 High |
| An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login page. | ||||
| CVE-2020-24085 | 1 Misp | 1 Misp | 2024-08-04 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code. | ||||
| CVE-2020-15711 | 1 Misp | 1 Misp | 2024-08-04 | 8.8 High |
| In MISP before 2.4.129, setting a favourite homepage was not CSRF protected. | ||||
| CVE-2020-15411 | 1 Misp | 1 Misp | 2024-08-04 | 9.8 Critical |
| An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader. | ||||
| CVE-2020-15412 | 1 Misp | 1 Misp | 2024-08-04 | 4.3 Medium |
| An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact form. | ||||
| CVE-2020-14969 | 1 Misp | 1 Misp | 2024-08-04 | 7.5 High |
| app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute. | ||||
| CVE-2020-13153 | 1 Misp | 1 Misp | 2024-08-04 | 6.1 Medium |
| app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view. | ||||
| CVE-2020-11458 | 1 Misp | 1 Misp | 2024-08-04 | 4.9 Medium |
| app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are passwords from database.php or GPG key passphrases from config.php. | ||||
| CVE-2020-10247 | 1 Misp | 1 Misp | 2024-08-04 | 6.1 Medium |
| MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp. | ||||
| CVE-2020-10246 | 1 Misp | 1 Misp | 2024-08-04 | 6.1 Medium |
| MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp. | ||||
| CVE-2020-8892 | 1 Misp | 1 Misp | 2024-08-04 | 8.1 High |
| An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests. | ||||
| CVE-2020-8890 | 1 Misp | 1 Misp | 2024-08-04 | 5.9 Medium |
| An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests. | ||||
| CVE-2020-8891 | 1 Misp | 1 Misp | 2024-08-04 | 5.9 Medium |
| An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid requests. | ||||
| CVE-2020-8894 | 1 Misp | 1 Misp | 2024-08-04 | 6.5 Medium |
| An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php. | ||||
| CVE-2020-8893 | 1 Misp | 1 Misp | 2024-08-04 | 7.5 High |
| An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp. | ||||
| CVE-2021-41326 | 1 Misp | 1 Misp | 2024-08-04 | 9.8 Critical |
| In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. | ||||
| CVE-2021-39302 | 1 Misp | 1 Misp | 2024-08-04 | 9.8 Critical |
| MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. | ||||