Filtered by vendor Misp Subscriptions
Filtered by product Misp Subscriptions
Total 70 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-28947 1 Misp 1 Misp 2024-11-21 6.1 Medium
In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled.
CVE-2020-28043 1 Misp 1 Misp 2024-11-21 7.5 High
MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL.
CVE-2020-25766 1 Misp 1 Misp 2024-11-21 7.5 High
An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login page.
CVE-2020-24085 1 Misp 1 Misp 2024-11-21 6.1 Medium
A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code.
CVE-2020-15711 1 Misp 1 Misp 2024-11-21 8.8 High
In MISP before 2.4.129, setting a favourite homepage was not CSRF protected.
CVE-2020-15412 1 Misp 1 Misp 2024-11-21 4.3 Medium
An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact form.
CVE-2020-15411 1 Misp 1 Misp 2024-11-21 9.8 Critical
An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader.
CVE-2020-14969 1 Misp 1 Misp 2024-11-21 7.5 High
app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute.
CVE-2020-13153 1 Misp 1 Misp 2024-11-21 6.1 Medium
app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view.
CVE-2020-11458 1 Misp 1 Misp 2024-11-21 4.9 Medium
app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are passwords from database.php or GPG key passphrases from config.php.
CVE-2020-10247 1 Misp 1 Misp 2024-11-21 6.1 Medium
MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp.
CVE-2020-10246 1 Misp 1 Misp 2024-11-21 6.1 Medium
MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp.
CVE-2019-9482 1 Misp 1 Misp 2024-11-21 N/A
In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only).
CVE-2019-19379 1 Misp 1 Misp 2024-11-21 5.3 Medium
In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data.
CVE-2019-16202 1 Misp 1 Misp 2024-11-21 6.5 Medium
MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, escalation attempts are blocked by the __checkLoggedActions function with a "This could be an indication of an attempted privilege escalation on older vulnerable versions of MISP (<2.4.115)" message.
CVE-2019-14286 1 Misp 1 Misp 2024-11-21 N/A
In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability.
CVE-2019-12868 1 Misp 1 Misp 2024-11-21 N/A
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
CVE-2019-12794 1 Misp 1 Misp 2024-11-21 N/A
An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host organization of an instance creates organization admins. An organization admin could set a password manually for the site admin or simply use the API key of the site admin to impersonate them. The potential for abuse only occurs when the host organization creates lower-privilege organization admins instead of the usual site admins. Also, only organization admins of the same organization as the site admin could abuse this.
CVE-2019-11814 1 Misp 1 Misp 2024-11-21 N/A
An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot.
CVE-2019-11813 1 Misp 1 Misp 2024-11-21 N/A
An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links.