cbcvebase.

Misp-Project Misp vulnerabilities

121 known vulnerabilities affecting misp-project/misp.

Total CVEs
121
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL26HIGH23MEDIUM72

Vulnerabilities

Page 4 of 7
CVE-2020-11458P4MEDIUMCVSS 4.9fixed in 2.4.1242020-04-02
CVE-2020-11458 [MEDIUM] CVE-2020-11458: app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that shoul app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are passwords from database.php or GPG key passphrases from config.php.
nvd
CVE-2020-8890P4MEDIUMCVSS 5.9fixed in 2.4.1212020-02-12
CVE-2020-8890 [MEDIUM] CWE-367 CVE-2020-8890: An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests.
nvd
CVE-2024-58130P4MEDIUMCVSS 6.1fixed in 2.4.1932025-03-28
CVE-2024-58130 [MEDIUM] CWE-79 CVE-2024-58130: In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses.
nvd
CVE-2020-8891P4MEDIUMCVSS 5.9fixed in 2.4.1212020-02-12
CVE-2020-8891 [MEDIUM] CVE-2020-8891: An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to blo An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid requests.
nvd
CVE-2019-9482P4MEDIUMCVSS 5.3v2.4.1022019-03-01
CVE-2019-9482 [MEDIUM] CWE-862 CVE-2019-9482: In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Expl In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only).
nvd
CVE-2026-8080P4MEDIUMCVSS 5.4fixed in 2.5.372026-05-07
CVE-2026-8080 [MEDIUM] CWE-79 CVE-2026-8080: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute ty
nvd
CVE-2021-36212P4MEDIUMCVSS 6.1fixed in 2.4.1462021-07-07
CVE-2021-36212 [MEDIUM] CWE-79 CVE-2021-36212: app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view. app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view.
nvd
CVE-2019-19379P4MEDIUMCVSS 5.3v2.4.1182019-11-28
CVE-2019-19379 [MEDIUM] CVE-2019-19379: In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagg In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data.
nvd
CVE-2015-5720P4MEDIUMCVSS 6.1≤ 2.3.892016-09-03
CVE-2015-5720 [MEDIUM] CWE-79 CVE-2015-5720: Multiple cross-site scripting (XSS) vulnerabilities in the template-creation feature in Malware Info Multiple cross-site scripting (XSS) vulnerabilities in the template-creation feature in Malware Information Sharing Platform (MISP) before 2.3.90 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) add.ctp, (2) edit.ctp, and (3) ajaxification.js.
nvd
CVE-2020-24085P4MEDIUMCVSS 6.1v2.4.1282021-01-26
CVE-2020-24085 [MEDIUM] CWE-79 CVE-2020-24085: A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsCon A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code.
nvd
CVE-2019-14286P4MEDIUMCVSS 6.1v2.4.1112019-07-27
CVE-2019-14286 [MEDIUM] CWE-79 CVE-2019-14286: In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-gra In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability.
nvd
CVE-2021-25324P4MEDIUMCVSS 6.1v2.4.1362021-01-19
CVE-2021-25324 [MEDIUM] CWE-79 CVE-2021-25324: MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.
nvd
CVE-2021-3184P4MEDIUMCVSS 6.1v2.4.1362021-01-19
CVE-2021-3184 [MEDIUM] CWE-79 CVE-2021-3184: MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favour MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button.
nvd
CVE-2023-49926P4MEDIUMCVSS 6.1fixed in 2.4.1792023-12-03
CVE-2023-49926 [MEDIUM] CWE-79 CVE-2023-49926: app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget. app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget.
nvd
CVE-2023-40224P4MEDIUMCVSS 6.1v2.4.1742023-08-10
CVE-2023-40224 [MEDIUM] CWE-79 CVE-2023-40224: MISP 2.4.174 allows XSS in app/View/Events/index.ctp. MISP 2.4.174 allows XSS in app/View/Events/index.ctp.
nvd
CVE-2023-41098P4MEDIUMCVSS 6.1v2.4.1742023-08-23
CVE-2023-41098 [MEDIUM] CWE-79 CVE-2023-41098: An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit.
nvd
CVE-2022-29531P4MEDIUMCVSS 5.4fixed in 2.4.1582022-04-20
CVE-2022-29531 [MEDIUM] CWE-79 CVE-2022-29531: An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag nam An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.
nvd
CVE-2022-29529P4MEDIUMCVSS 5.4fixed in 2.4.1582022-04-20
CVE-2022-29529 [MEDIUM] CWE-79 CVE-2022-29529: An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field. An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.
nvd
CVE-2022-29530P4MEDIUMCVSS 5.4fixed in 2.4.1582022-04-20
CVE-2022-29530 [MEDIUM] CWE-79 CVE-2022-29530: An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters. An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.
nvd
CVE-2021-37742P4MEDIUMCVSS 5.4v2.4.1472021-07-30
CVE-2021-37742 [MEDIUM] CWE-79 CVE-2021-37742: app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewi app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships.
nvd
Misp-Project Misp vulnerabilities | cvebase