Misp-Project Misp vulnerabilities
121 known vulnerabilities affecting misp-project/misp.
Total CVEs
121
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL26HIGH23MEDIUM72
Vulnerabilities
Page 6 of 7
CVE-2019-11813P4MEDIUMCVSS 6.1fixed in 2.4.1072019-05-08
CVE-2019-11813 [MEDIUM] CWE-79 CVE-2019-11813: An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. The
An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links.
nvd
CVE-2023-24070P4MEDIUMCVSS 6.1≤ 2.4.1672023-01-23
CVE-2023-24070 [MEDIUM] CWE-79 CVE-2023-24070: app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Refere
app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field.
nvd
CVE-2023-24026P4MEDIUMCVSS 6.1v2.4.1672023-01-20
CVE-2023-24026 [MEDIUM] CWE-79 CVE-2023-24026: In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview p
In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.
nvd
CVE-2023-28607P4MEDIUMCVSS 6.1fixed in 2.4.1692023-03-18
CVE-2023-28607 [MEDIUM] CWE-79 CVE-2023-28607: js/event-graph.js in MISP before 2.4.169 allows XSS via the event-graph relationship tooltip.
js/event-graph.js in MISP before 2.4.169 allows XSS via the event-graph relationship tooltip.
nvd
CVE-2023-28606P4MEDIUMCVSS 6.1fixed in 2.4.1692023-03-18
CVE-2023-28606 [MEDIUM] CWE-79 CVE-2023-28606: js/event-graph.js in MISP before 2.4.169 allows XSS via event-graph node tooltips.
js/event-graph.js in MISP before 2.4.169 allows XSS via event-graph node tooltips.
nvd
CVE-2021-27904P4MEDIUMCVSS 5.5≤ 2.4.1392021-03-02
CVE-2021-27904 [MEDIUM] CVE-2021-27904: An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation o
An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors.
nvd
CVE-2026-10855P4MEDIUMCVSS 4.3fixed in 2.5.392026-06-04
CVE-2026-10855 [MEDIUM] CWE-862 CVE-2026-10855: An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing
An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the existing template. As a result, an authenticated user with
nvd
CVE-2017-15216P4MEDIUMCVSS 6.1≤ 2.4.802017-10-10
CVE-2017-15216 [MEDIUM] CWE-79 CVE-2017-15216: MISP before 2.4.81 has a potential reflected XSS in a quickDelete action that is used to delete a si
MISP before 2.4.81 has a potential reflected XSS in a quickDelete action that is used to delete a sighting, related to app/View/Sightings/ajax/quickDeleteConfirmationForm.ctp and app/webroot/js/misp.js.
nvd
CVE-2020-10246P4MEDIUMCVSS 6.1v2.4.1222020-03-09
CVE-2020-10246 [MEDIUM] CWE-79 CVE-2020-10246: MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/sta
MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp.
nvd
CVE-2018-8948P4MEDIUMCVSS 6.1fixed in 2.4.892018-03-23
CVE-2018-8948 [MEDIUM] CWE-79 CVE-2018-8948: In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicio
In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module.
nvd
CVE-2021-25325P4MEDIUMCVSS 6.1v2.4.1362021-01-19
CVE-2021-25325 [MEDIUM] CWE-79 CVE-2021-25325: MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Re
MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs.
nvd
CVE-2017-16802P4MEDIUMCVSS 5.4v2.4.822017-11-13
CVE-2017-16802 [MEDIUM] CWE-79 CVE-2017-16802: In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is
In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added.
nvd
CVE-2018-11245P4MEDIUMCVSS 6.1v2.4.912018-05-18
CVE-2018-11245 [MEDIUM] CWE-79 CVE-2018-11245: app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes.
app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes.
nvd
CVE-2022-29532P4MEDIUMCVSS 4.8fixed in 2.4.1582022-04-20
CVE-2022-29532 [MEDIUM] CWE-79 CVE-2022-29532: An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administra
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.
nvd
CVE-2018-8949P4MEDIUMCVSS 4.3fixed in 2.4.892018-03-23
CVE-2018-8949 [MEDIUM] CWE-749 CVE-2018-8949: An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API in
An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an existing attribute.
nvd
CVE-2022-27244P4MEDIUMCVSS 4.8fixed in 2.4.1562022-03-18
CVE-2022-27244 [MEDIUM] CWE-79 CVE-2022-27244: An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS pa
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.
nvd
CVE-2024-58128P4MEDIUMCVSS 4.8fixed in 2.4.1932025-03-28
CVE-2024-58128 [MEDIUM] CWE-79 CVE-2024-58128: In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using
In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link.
nvd
CVE-2024-58129P4MEDIUMCVSS 4.8fixed in 2.4.1932025-03-28
CVE-2024-58129 [MEDIUM] CWE-79 CVE-2024-58129: In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without
In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page.
nvd
CVE-2022-42724P4MEDIUMCVSS 4.3fixed in 2.4.1642022-10-10
CVE-2022-42724 [MEDIUM] CWE-863 CVE-2022-42724: app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (t
app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have).
nvd
CVE-2024-57969P4MEDIUMCVSS 4.3fixed in 2.4.1982025-02-14
CVE-2024-57969 [MEDIUM] CWE-863 CVE-2024-57969: app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.
app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.
nvd