Filtered by vendor Misp
Subscriptions
Filtered by product Misp
Subscriptions
Total
70 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2019-11812 | 1 Misp | 1 Misp | 2024-11-21 | N/A |
A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link. | ||||
CVE-2019-10254 | 1 Misp | 1 Misp | 2024-11-21 | N/A |
In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability. | ||||
CVE-2018-6926 | 1 Misp | 1 Misp | 2024-11-21 | N/A |
In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by the setting being only accessible to the site administrator. | ||||
CVE-2018-19908 | 1 Misp | 1 Misp | 2024-11-21 | N/A |
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import. | ||||
CVE-2018-12649 | 1 Misp | 1 Misp | 2024-11-21 | N/A |
An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests. | ||||
CVE-2018-11562 | 1 Misp | 1 Misp | 2024-11-21 | N/A |
An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter. | ||||
CVE-2017-16946 | 1 Misp | 1 Misp | 2024-11-21 | N/A |
The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log. | ||||
CVE-2017-13671 | 1 Misp | 1 Misp | 2024-11-21 | N/A |
app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation. | ||||
CVE-2024-46918 | 1 Misp | 1 Misp | 2024-09-20 | 9.8 Critical |
app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org. | ||||
CVE-2024-45509 | 1 Misp | 1 Misp | 2024-09-04 | 9.8 Critical |
In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin. |