Misp ≫ Misp

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.a...

In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.

app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin.

app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name.

In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses.

In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page.

In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link.

app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.

app/View/GalaxyClusters/cluster_export_misp_galaxy.ctp in MISP through 2.5.2 has stored XSS when exporting custom clusters into the misp-galaxy format.

app/webroot/js/workflows-editor/workflows-editor.js in MISP through 2.5.2 has stored XSS in the editor interface for an ad-hoc workflow.