cbcvebase.

Misp-Project Misp vulnerabilities

121 known vulnerabilities affecting misp-project/misp.

Total CVEs
121
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL26HIGH23MEDIUM72

Vulnerabilities

Page 5 of 7
CVE-2021-37534P4MEDIUMCVSS 5.4v2.4.1462021-07-26
CVE-2021-37534 [MEDIUM] CWE-79 CVE-2021-37534: app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster. app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster.
nvd
CVE-2017-16946P4MEDIUMCVSS 4.9v2.4.822017-11-25
CVE-2017-16946 [MEDIUM] CWE-532 CVE-2017-16946: The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_p The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log.
nvd
CVE-2026-10864P4MEDIUMCVSS 4.3fixed in 2.5.392026-06-04
CVE-2026-10864 [MEDIUM] CWE-200 CVE-2026-10864: A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause the underlying query to fall back to returning unintende
nvd
CVE-2017-13671P4MEDIUMCVSS 6.1≤ 2.4.782017-08-24
CVE-2017-13671 [MEDIUM] CWE-79 CVE-2017-13671: app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only imp app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation.
nvd
CVE-2020-28947P4MEDIUMCVSS 6.1v2.4.1342020-11-19
CVE-2020-28947 [MEDIUM] CWE-79 CVE-2020-28947: In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandle In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled.
nvd
CVE-2022-29533P4MEDIUMCVSS 6.1fixed in 2.4.1582022-04-20
CVE-2022-29533 [MEDIUM] CWE-79 CVE-2022-29533: An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsControll An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page."
nvd
CVE-2020-29572P4MEDIUMCVSS 6.1v2.4.1352020-12-06
CVE-2020-29572 [MEDIUM] CWE-79 CVE-2020-29572: app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via th app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field.
nvd
CVE-2022-27246P4MEDIUMCVSS 6.1fixed in 2.4.1562022-03-18
CVE-2022-27246 [MEDIUM] CWE-79 CVE-2022-27246: An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is no An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.
nvd
CVE-2022-47928P4MEDIUMCVSS 6.1fixed in 2.4.1672022-12-22
CVE-2022-47928 [MEDIUM] CWE-79 CVE-2022-47928: In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file. In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp.
nvd
CVE-2023-28884P4MEDIUMCVSS 6.1v2.4.1692023-03-27
CVE-2023-28884 [MEDIUM] CWE-79 CVE-2023-28884: In MISP 2.4.169, app/Lib/Tools/CustomPaginationTool.php allows XSS in the community index. In MISP 2.4.169, app/Lib/Tools/CustomPaginationTool.php allows XSS in the community index.
nvd
CVE-2023-24027P4MEDIUMCVSS 6.1v2.4.1672023-01-20
CVE-2023-24027 [MEDIUM] CWE-79 CVE-2023-24027: In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name. In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.
nvd
CVE-2021-37743P4MEDIUMCVSS 5.4v2.4.1472021-07-30
CVE-2021-37743 [MEDIUM] CWE-79 CVE-2021-37743: app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.
nvd
CVE-2024-46918P4MEDIUMCVSS 4.9fixed in 2.4.1982024-09-15
CVE-2024-46918 [MEDIUM] CWE-863 CVE-2024-46918: app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.
nvd
CVE-2026-10854P4MEDIUMCVSS 4.3fixed in 2.5.392026-06-04
CVE-2026-10854 [MEDIUM] CWE-200 CVE-2026-10854: A visibility control issue in the event template creation workflow allowed non-site-admin users to a A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type a
nvd
CVE-2019-10254P4MEDIUMCVSS 6.1fixed in 2.4.1052019-03-28
CVE-2019-10254 [MEDIUM] CWE-79 CVE-2019-10254: In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability.
nvd
CVE-2020-13153P4MEDIUMCVSS 6.1fixed in 2.4.1262020-05-18
CVE-2020-13153 [MEDIUM] CWE-79 CVE-2020-13153: app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes vi app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view.
nvd
CVE-2020-10247P4MEDIUMCVSS 6.1v2.4.1222020-03-09
CVE-2020-10247 [MEDIUM] CWE-79 CVE-2020-10247: MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/E MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp.
nvd
CVE-2019-11812P4MEDIUMCVSS 6.1fixed in 2.4.1072019-05-08
CVE-2019-11812 [MEDIUM] CWE-79 CVE-2019-11812: A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. J A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link.
nvd
CVE-2019-11814P4MEDIUMCVSS 6.1fixed in 2.4.1072019-05-08
CVE-2019-11814 [MEDIUM] CWE-79 CVE-2019-11814: An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS vi An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot.
nvd
CVE-2018-11562P4MEDIUMCVSS 6.1v2.4.912018-05-30
CVE-2018-11562 [MEDIUM] CWE-79 CVE-2018-11562: An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allo An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter.
nvd
Misp-Project Misp vulnerabilities | cvebase