Misp-Project Misp vulnerabilities
121 known vulnerabilities affecting misp-project/misp.
Total CVEs
121
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL26HIGH23MEDIUM72
Vulnerabilities
Page 2 of 7
CVE-2017-14337P3HIGHCVSS 8.1≤ 2.4.792017-09-12
CVE-2017-14337 [HIGH] CWE-287 CVE-2017-14337: When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunctio
When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user management ReST API, if an external user provides X.509 certificate authentication and this API returns an empty value, the unauthenticated user can be granted access as an arbitrary user.
nvd
CVE-2023-48659P3CRITICALCVSS 9.8fixed in 2.4.1762023-11-17
CVE-2023-48659 [CRITICAL] CVE-2023-48659: An issue was discovered in MISP before 2.4.176. app/Controller/AppController.php mishandles paramete
An issue was discovered in MISP before 2.4.176. app/Controller/AppController.php mishandles parameter parsing.
nvd
CVE-2023-48655P3CRITICALCVSS 9.8fixed in 2.4.1762023-11-17
CVE-2023-48655 [CRITICAL] CWE-116 CVE-2023-48655: An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php do
An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query parameters.
nvd
CVE-2021-25323P3CRITICALCVSS 9.1v2.4.1362021-01-19
CVE-2021-25323 [CRITICAL] CWE-640 CVE-2021-25323: The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmati
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.
nvd
CVE-2021-39302P3CRITICALCVSS 9.8v2.4.1482021-08-19
CVE-2021-39302 [CRITICAL] CWE-89 CVE-2021-39302: MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions[
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.
nvd
CVE-2024-25675P3CRITICALCVSS 9.8fixed in 2.4.1842024-02-09
CVE-2024-25675 [CRITICAL] CWE-749 CVE-2024-25675: An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an expor
An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp.
nvd
CVE-2023-50918P3CRITICALCVSS 9.8fixed in 2.4.1822023-12-15
CVE-2023-50918 [CRITICAL] CVE-2023-50918: app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.
app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.
nvd
CVE-2020-28043P3HIGHCVSS 7.5≤ 2.4.1332020-11-02
CVE-2020-28043 [HIGH] CWE-918 CVE-2020-28043: MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrar
MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL.
nvd
CVE-2020-29006P3CRITICALCVSS 9.8fixed in 2.4.1352020-11-24
CVE-2020-29006 [CRITICAL] CWE-862 CVE-2020-29006: MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and a
MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php.
nvd
CVE-2022-48329P3CRITICALCVSS 9.8fixed in 2.4.1662023-02-20
CVE-2022-48329 [CRITICAL] CWE-755 CVE-2022-48329: MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute
MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php.
nvd
CVE-2019-12868P3HIGHCVSS 7.2v2.4.1092019-06-18
CVE-2019-12868 [HIGH] CWE-502 CVE-2019-12868: app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator becaus
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
nvd
CVE-2018-12649P3CRITICALCVSS 9.8v2.4.922018-06-22
CVE-2018-12649 [CRITICAL] CWE-307 CVE-2018-12649: An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypas
An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests.
nvd
CVE-2020-15411P3CRITICALCVSS 9.8v2.4.1282020-06-30
CVE-2020-15411 [CRITICAL] CVE-2020-15411: An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient AC
An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader.
nvd
CVE-2023-48657P3CRITICALCVSS 9.8fixed in 2.4.1762023-11-17
CVE-2023-48657 [CRITICAL] CVE-2023-48657: An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles filters.
An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles filters.
nvd
CVE-2023-48658P3CRITICALCVSS 9.8fixed in 2.4.1762023-11-17
CVE-2023-48658 [CRITICAL] CVE-2023-48658: An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php lacks a checkParam function f
An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php lacks a checkParam function for alphanumerics, underscore, dash, period, and space.
nvd
CVE-2025-67906P3CRITICALCVSS 9.0fixed in 2.5.282025-12-15
CVE-2025-67906 [CRITICAL] CWE-79 CVE-2025-67906: In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow exec
In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.
nvd
CVE-2021-35502P3CRITICALCVSS 9.8v2.4.1442021-06-25
CVE-2021-35502 [CRITICAL] CVE-2021-35502: app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanit
app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index.
nvd
CVE-2023-48656P3CRITICALCVSS 9.8fixed in 2.4.1762023-11-17
CVE-2023-48656 [CRITICAL] CVE-2023-48656: An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles order clauses.
An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles order clauses.
nvd
CVE-2018-6926P3HIGHCVSS 7.2v2.4.872018-02-12
CVE-2018-6926 [HIGH] CWE-78 CVE-2018-6926: In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a
In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by the setting being only accessible to the site administrat
nvd
CVE-2026-9137P3HIGHCVSS 7.5≥ 2.5.0, < 2.5.382026-05-20
CVE-2026-9137 [HIGH] CWE-400 CVE-2026-9137: The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed
The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.
nvd