Misp: >> Misp >> 2.3.113 Security Vulnerabilities
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.
CVSS Score
5.4
EPSS Score
0.003
Published
2022-04-20
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.
CVSS Score
5.4
EPSS Score
0.003
Published
2022-04-20
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.
CVSS Score
5.4
EPSS Score
0.003
Published
2022-04-20
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.
CVSS Score
4.8
EPSS Score
0.003
Published
2022-04-20
An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page."
CVSS Score
6.1
EPSS Score
0.003
Published
2022-04-20
An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-04-20
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting.
CVSS Score
7.8
EPSS Score
0.002
Published
2022-03-18
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.
CVSS Score
4.8
EPSS Score
0.002
Published
2022-03-18
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF.
CVSS Score
8.8
EPSS Score
0.003
Published
2022-03-18
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-03-18