Total
77 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-67906 | 1 Misp | 1 Misp | 2025-12-21 | N/A | 5.4 MEDIUM |
|
In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.
|
|||||
| CVE-2024-58130 | 1 Misp | 1 Misp | 2025-07-15 | N/A | 7.2 HIGH |
|
In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses.
|
|||||
| CVE-2024-57969 | 1 Misp | 1 Misp | 2025-07-09 | N/A | 4.3 MEDIUM |
|
app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.
|
|||||
| CVE-2024-58128 | 1 Misp | 1 Misp | 2025-07-08 | N/A | 5.5 MEDIUM |
|
In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link.
|
|||||
| CVE-2024-58129 | 1 Misp | 1 Misp | 2025-07-08 | N/A | 5.5 MEDIUM |
|
In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page.
|
|||||
| CVE-2024-29858 | 1 Misp | 1 Misp | 2025-06-17 | N/A | 9.8 CRITICAL |
|
In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.
|
|||||
| CVE-2024-25675 | 1 Misp | 1 Misp | 2025-06-16 | N/A | 9.8 CRITICAL |
|
An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp.
|
|||||
| CVE-2017-16946 | 1 Misp | 1 Misp | 2025-04-20 | 4.0 MEDIUM | 4.9 MEDIUM |
|
The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log.
|
|||||
| CVE-2017-13671 | 1 Misp | 1 Misp | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation.
|
|||||
| CVE-2023-24027 | 1 Misp | 1 Misp | 2025-04-02 | N/A | 6.1 MEDIUM |
|
In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.
|
|||||
| CVE-2022-48329 | 1 Misp | 1 Misp | 2025-03-18 | N/A | 9.8 CRITICAL |
|
MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php.
|
|||||
| CVE-2024-46918 | 1 Misp | 1 Misp | 2025-03-13 | N/A | 4.9 MEDIUM |
|
app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.
|
|||||
| CVE-2024-29859 | 1 Misp | 1 Misp | 2025-03-05 | N/A | 9.8 CRITICAL |
|
In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.
|
|||||
| CVE-2024-25674 | 1 Misp | 1 Misp | 2024-11-21 | N/A | 9.8 CRITICAL |
|
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.
|
|||||
| CVE-2023-50918 | 1 Misp | 1 Misp | 2024-11-21 | N/A | 9.8 CRITICAL |
|
app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.
|
|||||
| CVE-2023-49926 | 1 Misp | 1 Misp | 2024-11-21 | N/A | 6.1 MEDIUM |
|
app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget.
|
|||||
| CVE-2023-41098 | 1 Misp | 1 Misp | 2024-11-21 | N/A | 6.1 MEDIUM |
|
An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit.
|
|||||
| CVE-2023-40224 | 1 Misp | 1 Misp | 2024-11-21 | N/A | 6.1 MEDIUM |
|
MISP 2.4.174 allows XSS in app/View/Events/index.ctp.
|
|||||
| CVE-2022-48328 | 1 Misp | 1 Misp | 2024-11-21 | N/A | 9.8 CRITICAL |
|
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.
|
|||||
| CVE-2022-29534 | 1 Misp | 1 Misp | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.
|
|||||
| CVE-2022-29533 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page."
|
|||||
| CVE-2022-29532 | 1 Misp | 1 Misp | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.
|
|||||
| CVE-2022-29531 | 1 Misp | 1 Misp | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.
|
|||||
| CVE-2022-29530 | 1 Misp | 1 Misp | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.
|
|||||
| CVE-2022-29529 | 1 Misp | 1 Misp | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.
|
|||||
| CVE-2022-29528 | 1 Misp | 1 Misp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.
|
|||||
| CVE-2022-27246 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.
|
|||||
| CVE-2022-27245 | 1 Misp | 1 Misp | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF.
|
|||||
| CVE-2022-27244 | 1 Misp | 1 Misp | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.
|
|||||
| CVE-2022-27243 | 1 Misp | 1 Misp | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting.
|
|||||
| CVE-2021-41326 | 1 Misp | 1 Misp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.
|
|||||
| CVE-2021-3184 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button.
|
|||||
| CVE-2021-39302 | 1 Misp | 1 Misp | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
|
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.
|
|||||
| CVE-2021-37743 | 1 Misp | 1 Misp | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.
|
|||||
| CVE-2021-37742 | 1 Misp | 1 Misp | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships.
|
|||||
| CVE-2021-37534 | 1 Misp | 1 Misp | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster.
|
|||||
| CVE-2021-36212 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view.
|
|||||
| CVE-2021-35502 | 1 Misp | 1 Misp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index.
|
|||||
| CVE-2021-31780 | 1 Misp | 1 Misp | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is reused.
|
|||||
| CVE-2021-27904 | 1 Misp | 1 Misp | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors.
|
|||||