Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): cpe:2.3:a:misp:misp:2.4.102:*:*:*:*:*:*:*
- CPE Name Search: true
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2024-25675 |
An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp. Published: February 09, 2024; 4:15:08 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2024-25674 |
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type. Published: February 09, 2024; 4:15:08 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-50918 |
app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs. Published: December 15, 2023; 1:15:07 PM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-49926 |
app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget. Published: December 02, 2023; 10:15:07 PM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-48329 |
MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php. Published: February 19, 2023; 11:15:11 PM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2022-48328 |
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters. Published: February 19, 2023; 11:15:11 PM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2022-29534 |
An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header. Published: April 20, 2022; 7:15:08 PM -0400 |
V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2022-29533 |
An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page." Published: April 20, 2022; 7:15:08 PM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2022-29532 |
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it. Published: April 20, 2022; 7:15:08 PM -0400 |
V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2022-29531 |
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name. Published: April 20, 2022; 7:15:08 PM -0400 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2022-29530 |
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters. Published: April 20, 2022; 7:15:08 PM -0400 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2022-29529 |
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field. Published: April 20, 2022; 7:15:08 PM -0400 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2022-29528 |
An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur. Published: April 20, 2022; 7:15:08 PM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2022-27246 |
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default. Published: March 18, 2022; 2:15:16 PM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2022-27245 |
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF. Published: March 18, 2022; 2:15:16 PM -0400 |
V3.1: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2022-27244 |
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user. Published: March 18, 2022; 2:15:16 PM -0400 |
V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2022-27243 |
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting. Published: March 18, 2022; 2:15:16 PM -0400 |
V3.1: 7.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2021-41326 |
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. Published: September 17, 2021; 2:15:08 PM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2021-36212 |
app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view. Published: July 07, 2021; 9:15:08 AM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-27904 |
An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors. Published: March 02, 2021; 2:15:12 AM -0500 |
V3.1: 5.5 MEDIUM V2.0: 2.1 LOW |