Misp

misp

Vendor: Misp Project • 9 CVEs

CVEs (9)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-24028 1Misp Project 1Misp Apr 3, 2025 Jan 20, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.
CVE-2023-24026 1Misp Project 1Misp Apr 2, 2025 Jan 20, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.
CVE-2018-11245 1Misp Project 1Misp Nov 21, 2024 May 18, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes.
CVE-2018-8949 1Misp Project 1Misp Nov 21, 2024 Mar 23, 2018 N/A· v4 4.3 MEDIUM· v3 5.5 MEDIUM· v2 An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attri...Show more An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an existing attribute.Show less
CVE-2018-8948 1Misp Project 1Misp Nov 21, 2024 Mar 23, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module.
CVE-2017-16802 1Misp Project 1Misp May 13, 2026 Nov 13, 2017 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added.
CVE-2017-15216 1Misp Project 1Misp May 13, 2026 Oct 10, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 MISP before 2.4.81 has a potential reflected XSS in a quickDelete action that is used to delete a sighting, related to app/View/Sightings/ajax/quickDeleteConfirmationForm.ctp and app/webroot/js/misp.js.
CVE-2017-14337 1Misp Project 1Misp May 13, 2026 Sep 12, 2017 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user management ReST API, if an external user provides X.509 certificate authentication and t...Show more When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user management ReST API, if an external user provides X.509 certificate authentication and this API returns an empty value, the unauthenticated user can be granted access as an arbitrary user.Show less
CVE-2017-7215 1Misp Project 1Misp May 13, 2026 Mar 21, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross site scripting in some view elements in the index filter tool in app/webroot/js/misp2.4.68.js and the organisation landing page in app/View/Organisations/ajax/landingpage.ctp of MISP before 2.4.69 allows remote att...Show more Cross site scripting in some view elements in the index filter tool in app/webroot/js/misp2.4.68.js and the organisation landing page in app/View/Organisations/ajax/landingpage.ctp of MISP before 2.4.69 allows remote attackers to inject arbitrary web script or HTML.Show less