Misp-project ≫ Misp

In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.

In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link.

In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page.

In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses.

app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.

app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.

In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin.

In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.

In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.

An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.