Filtered by vendor Misp Subscriptions
Filtered by product Misp Subscriptions
Total 70 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-11812 1 Misp 1 Misp 2024-11-21 N/A
A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link.
CVE-2019-10254 1 Misp 1 Misp 2024-11-21 N/A
In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability.
CVE-2018-6926 1 Misp 1 Misp 2024-11-21 N/A
In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by the setting being only accessible to the site administrator.
CVE-2018-19908 1 Misp 1 Misp 2024-11-21 N/A
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.
CVE-2018-12649 1 Misp 1 Misp 2024-11-21 N/A
An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests.
CVE-2018-11562 1 Misp 1 Misp 2024-11-21 N/A
An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter.
CVE-2017-16946 1 Misp 1 Misp 2024-11-21 N/A
The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log.
CVE-2017-13671 1 Misp 1 Misp 2024-11-21 N/A
app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation.
CVE-2024-46918 1 Misp 1 Misp 2024-09-20 9.8 Critical
app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.
CVE-2024-45509 1 Misp 1 Misp 2024-09-04 9.8 Critical
In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin.