Shodan
Vulnerabilities
Vulnerable Software
Misp:  >> Misp  >> 2.4.128  Security Vulnerabilities
CVE-2022-29534
An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-04-20
CVE-2022-27243
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting.
CVSS Score
7.8
EPSS Score
0.002
Published
2022-03-18
CVE-2022-27244
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.
CVSS Score
4.8
EPSS Score
0.002
Published
2022-03-18
CVE-2022-27245
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF.
CVSS Score
8.8
EPSS Score
0.003
Published
2022-03-18
CVE-2022-27246
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-03-18
CVE-2021-41326
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.
CVSS Score
9.8
EPSS Score
0.003
Published
2021-09-17
CVE-2021-36212
app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-07-07
CVE-2021-27904
An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors.
CVSS Score
5.5
EPSS Score
0.001
Published
2021-03-02
CVE-2020-24085
A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-01-26
CVE-2020-29006
MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-11-24


Products
Pricing
Contact Us

Shodan ® - All rights reserved