Search
Total
11 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-29534 | 1 Misp | 1 Misp | 2022-04-27 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header. | |||||
| CVE-2020-14969 | 1 Misp | 1 Misp | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute. | |||||
| CVE-2021-31780 | 1 Misp | 1 Misp | 2021-05-05 | 5.0 MEDIUM | 7.5 HIGH |
| In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is reused. | |||||
| CVE-2020-28043 | 1 Misp | 1 Misp | 2020-11-17 | 5.0 MEDIUM | 7.5 HIGH |
| MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL. | |||||
| CVE-2020-25766 | 1 Misp | 1 Misp | 2020-09-27 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login page. | |||||
| CVE-2020-15711 | 1 Misp | 1 Misp | 2020-07-15 | 6.8 MEDIUM | 8.8 HIGH |
| In MISP before 2.4.129, setting a favourite homepage was not CSRF protected. | |||||
| CVE-2020-8892 | 1 Misp | 1 Misp | 2020-02-14 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests. | |||||
| CVE-2020-8893 | 1 Misp | 1 Misp | 2020-02-14 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp. | |||||
| CVE-2018-19908 | 1 Misp | 1 Misp | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import. | |||||
| CVE-2019-12868 | 1 Misp | 1 Misp | 2019-06-18 | 6.5 MEDIUM | 7.2 HIGH |
| app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization. | |||||
| CVE-2018-6926 | 1 Misp | 1 Misp | 2018-03-16 | 9.0 HIGH | 7.2 HIGH |
| In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by the setting being only accessible to the site administrator. | |||||