Recent CVEs for MISP

MISP - CVE-2023-24028

2023-01-20T22:15:00+00:00

In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.

MISP - CVE-2023-24026

2023-01-20T22:15:00+00:00

In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.

MISP - CVE-2023-24027

2023-01-20T22:15:00+00:00

In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.

MISP - CVE-2022-29530

2022-04-20T23:15:00+00:00

An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.

MISP - CVE-2022-29534

2022-04-20T23:15:00+00:00

An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.

MISP - CVE-2022-29529

2022-04-20T23:15:00+00:00

An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.

MISP - CVE-2022-29533

2022-04-20T23:15:00+00:00

An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page."

MISP - CVE-2022-29528

2022-04-20T23:15:00+00:00

An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.

MISP - CVE-2022-29531

2022-04-20T23:15:00+00:00

An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.

MISP - CVE-2022-29532

2022-04-20T23:15:00+00:00

An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.

MISP - CVE-2022-27243

2022-03-18T18:15:00+00:00

An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting.

MISP - CVE-2022-27244

2022-03-18T18:15:00+00:00

An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.

MISP - CVE-2022-27245

2022-03-18T18:15:00+00:00

An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF.

MISP - CVE-2022-27246

2022-03-18T18:15:00+00:00

An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.

MISP - CVE-2021-41326

2021-09-17T18:15:00+00:00

In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.

MISP - CVE-2021-39302

2021-08-19T17:15:00+00:00

MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.

MISP - CVE-2021-37534

2021-07-26T14:15:00+00:00

app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster.

MISP - CVE-2021-37742

2021-07-30T15:15:00+00:00

app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships.

MISP - CVE-2021-37743

2021-07-30T15:15:00+00:00

app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.

MISP - CVE-2021-36212

2021-07-07T13:15:00+00:00

app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view.

MISP - CVE-2021-35502

2021-06-25T21:15:00+00:00

app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index.

MISP - CVE-2021-31780

2021-04-23T20:15:00+00:00

In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is reused.

MISP - CVE-2021-27904

2021-03-02T07:15:00+00:00

An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors.

MISP - CVE-2017-7215

2017-03-21T19:59:00+00:00

Cross site scripting in some view elements in the index filter tool in app/webroot/js/misp2.4.68.js and the organisation landing page in app/View/Organisations/ajax/landingpage.ctp of MISP before 2.4.69 allows remote attackers to inject arbitrary web script or HTML.

MISP - CVE-2018-8949

2018-03-23T17:29:00+00:00

An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an existing attribute.

MISP - CVE-2018-8948

2018-03-23T17:29:00+00:00

In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module.

MISP - CVE-2018-11245

2018-05-18T18:29:00+00:00

app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes.

MISP - CVE-2017-16802

2017-11-13T16:29:00+00:00

In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added.

MISP - CVE-2017-15216

2017-10-10T18:29:00+00:00

MISP before 2.4.81 has a potential reflected XSS in a quickDelete action that is used to delete a sighting, related to app/View/Sightings/ajax/quickDeleteConfirmationForm.ctp and app/webroot/js/misp.js.

MISP - CVE-2017-14337

2017-09-12T16:29:00+00:00

When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user management ReST API, if an external user provides X.509 certificate authentication and this API returns an empty value, the unauthenticated user can be granted access as an arbitrary user.

MISP - CVE-2020-24085

2021-01-26T18:15:00+00:00

A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code.

MISP - CVE-2021-25323

2021-01-19T16:15:00+00:00

The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.

MISP - CVE-2021-3184

2021-01-19T16:15:00+00:00

MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button.

MISP - CVE-2021-25325

2021-01-19T16:15:00+00:00

MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs.

MISP - CVE-2021-25324

2021-01-19T16:15:00+00:00

MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.

MISP - CVE-2020-8893

2020-02-12T00:15:00+00:00

An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp.

MISP - CVE-2019-9482

2019-03-01T05:29:00+00:00

In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only).

MISP - CVE-2020-8894

2020-02-12T00:15:00+00:00

An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php.

MISP - CVE-2018-6926

2018-02-12T17:29:00+00:00

In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by the setting being only accessible to the site administrator.

MISP - CVE-2020-8892

2020-02-12T00:15:00+00:00

An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests.

MISP - CVE-2020-8891

2020-02-12T00:15:00+00:00

An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid requests.

MISP - CVE-2020-8890

2020-02-12T00:15:00+00:00

An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests.

MISP - CVE-2019-19379

2019-11-28T17:15:00+00:00

In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data.

MISP - CVE-2018-19908

2018-12-06T16:29:00+00:00

An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.

MISP - CVE-2020-29572

2020-12-06T00:15:00+00:00

app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field.

MISP - CVE-2020-28947

2020-11-19T18:15:00+00:00

In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled.

MISP - CVE-2020-28043

2020-11-02T21:15:00+00:00

MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL.

MISP - CVE-2019-16202

2019-09-10T14:15:00+00:00

MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, escalation attempts are blocked by the __checkLoggedActions function with a "This could be an indication of an attempted privilege escalation on older vulnerable versions of MISP (<2.4.115)" message.

MISP - CVE-2019-14286

2019-07-27T18:15:00+00:00

In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability.

MISP - CVE-2020-29006

2020-11-24T15:15:00+00:00

MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php.

MISP - CVE-2020-25766

2020-09-18T18:15:00+00:00

An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login page.

MISP - CVE-2020-15412

2020-06-30T14:15:00+00:00

An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact form.

MISP - CVE-2018-12649

2018-06-22T14:29:00+00:00

An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests.

MISP - CVE-2020-15711

2020-07-14T13:15:00+00:00

In MISP before 2.4.129, setting a favourite homepage was not CSRF protected.

MISP - CVE-2020-15411

2020-06-30T14:15:00+00:00

An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader.

MISP - CVE-2018-11562

2018-05-30T20:29:00+00:00

An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter.

MISP - CVE-2020-14969

2020-06-22T12:15:00+00:00

app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute.

MISP - CVE-2017-16946

2017-11-25T18:29:00+00:00

The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log.

MISP - CVE-2019-12868

2019-06-18T00:15:00+00:00

app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.

MISP - CVE-2019-12794

2019-06-11T17:29:00+00:00

An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host organization of an instance creates organization admins. An organization admin could set a password manually for the site admin or simply use the API key of the site admin to impersonate them. The potential for abuse only occurs when the host organization creates lower-privilege organization admins instead of the usual site admins. Also, only organization admins of the same organization as the site admin could abuse this.

MISP - CVE-2020-12889

2020-05-15T18:15:00+00:00

MISP MISP-maltego 1.4.4 incorrectly shares a MISP connection across users in a remote-transform use case.

MISP - CVE-2019-11814

2019-05-08T13:29:00+00:00

An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot.

MISP - CVE-2019-11812

2019-05-08T13:29:00+00:00

A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link.

MISP - CVE-2019-11813

2019-05-08T13:29:00+00:00

An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links.

MISP - CVE-2020-13153

2020-05-18T22:15:00+00:00

app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view.

MISP - CVE-2017-13671

2017-08-24T19:29:00+00:00

app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation.

MISP - CVE-2020-11458

2020-04-02T12:15:00+00:00

app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are passwords from database.php or GPG key passphrases from config.php.

MISP - CVE-2020-10246

2020-03-09T19:15:00+00:00

MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp.

MISP - CVE-2019-16202

2019-09-10T10:15:10.663000+00:00

MISP - CVE-2019-14286

2019-07-27T14:15:12.120000+00:00

MISP - CVE-2019-12868

2019-06-17T20:15:09.317000+00:00

MISP - CVE-2019-12794

2019-06-11T13:29:00.550000+00:00

MISP - CVE-2019-11812

2019-05-08T09:29:00.253000+00:00

MISP - CVE-2019-11813

2019-05-08T09:29:00.440000+00:00

An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links.

MISP - CVE-2019-11814

2019-05-08T09:29:00.487000+00:00

An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot.

MISP - CVE-2019-10254

2019-03-28T11:29:00.387000+00:00

In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability.

MISP - CVE-2018-19908

2018-12-06T11:29:00.290000+00:00

MISP - CVE-2019-9482

2019-03-01T00:29:00.790000+00:00

MISP - CVE-2019-10254

2019-03-28T15:29:00+00:00

In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability.

MISP - CVE-2020-10247

2020-03-09T19:15:00+00:00

MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp.

MISP - CVE-2018-12649

2018-06-22T10:29:00.310000+00:00

MISP - CVE-2018-11562

2018-05-30T16:29:00.313000+00:00

MISP - CVE-2018-11245

2018-05-18T14:29:00.280000+00:00

app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes.

MISP - CVE-2018-6926

2018-02-12T12:29:00.323000+00:00

MISP - CVE-2017-7215

2017-03-21T15:59:00.173000+00:00

MISP - CVE-2017-14337

2017-09-12T12:29:00.177000+00:00

MISP - CVE-2017-15216

2017-10-10T14:29:00.243000+00:00

MISP - CVE-2017-16802

2017-11-13T11:29:00.263000+00:00

In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added.

MISP - CVE-2017-13671

2017-08-24T15:29:00.250000+00:00

MISP - CVE-2017-16946

2017-11-25T13:29:00.220000+00:00

The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log.