Misp-project ≫ Misp

In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.

In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp.

app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have).

An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.

An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.

An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.

An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.

An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.

An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page."

An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.