Vulnerabilities (CVE)

Filtered by vendor Misp Subscribe

Filtered by product Misp

Total 66 CVE

CVE	Vendors	Products	Updated	CVSS v2	CVSS v3
CVE-2019-9482	1 Misp	1 Misp	2024-02-04	3.5 LOW	5.3 MEDIUM
In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only).
CVE-2018-11562	1 Misp	1 Misp	2024-02-04	4.3 MEDIUM	6.1 MEDIUM
An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter.
CVE-2018-6926	1 Misp	1 Misp	2024-02-04	9.0 HIGH	7.2 HIGH
In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by the setting being only accessible to the site administrator.
CVE-2018-12649	1 Misp	1 Misp	2024-02-04	5.0 MEDIUM	9.8 CRITICAL
An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests.
CVE-2017-16946	1 Misp	1 Misp	2024-02-04	4.0 MEDIUM	4.9 MEDIUM
The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log.
CVE-2017-13671	1 Misp	1 Misp	2024-02-04	4.3 MEDIUM	6.1 MEDIUM
app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation.