Misp ≫ Misp

MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php.

app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.

In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.

An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.

An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.

An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.

An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.

An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.

An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page."

An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.