Misp: Security Vulnerabilities
MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs.
CVSS Score
6.1
EPSS Score
0.004
Published
2021-01-19
MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-01-19
app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-12-06
MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-11-24
In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-11-19
MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-11-02
An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login page.
CVSS Score
7.5
EPSS Score
0.002
Published
2020-09-18
In MISP before 2.4.129, setting a favourite homepage was not CSRF protected.
CVSS Score
8.8
EPSS Score
0.001
Published
2020-07-14
An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-06-30
An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact form.
CVSS Score
4.3
EPSS Score
0.002
Published
2020-06-30