Misp

Misp

81 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2019-11813

  • EPSS 0.27%
  • Veröffentlicht 08.05.2019 13:29:00
  • Zuletzt bearbeitet 21.11.2024 04:21:48

An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links.

6.1

CVE-2019-11812

  • EPSS 0.24%
  • Veröffentlicht 08.05.2019 13:29:00
  • Zuletzt bearbeitet 21.11.2024 04:21:48

A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link.

6.1

CVE-2019-11814

  • EPSS 0.24%
  • Veröffentlicht 08.05.2019 13:29:00
  • Zuletzt bearbeitet 21.11.2024 04:21:49

An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot.

6.1

CVE-2019-10254

  • EPSS 0.24%
  • Veröffentlicht 28.03.2019 15:29:00
  • Zuletzt bearbeitet 21.11.2024 04:18:45

In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability.

5.3

CVE-2019-9482

  • EPSS 0.27%
  • Veröffentlicht 01.03.2019 05:29:00
  • Zuletzt bearbeitet 21.11.2024 04:51:42

In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / ...

9

CVE-2018-19908

Exploit
  • EPSS 40.07%
  • Veröffentlicht 06.12.2018 16:29:00
  • Zuletzt bearbeitet 21.11.2024 03:58:47

An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute ar...

9.8

CVE-2018-12649

  • EPSS 0.29%
  • Veröffentlicht 22.06.2018 14:29:00
  • Zuletzt bearbeitet 21.11.2024 03:45:36

An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POS...

6.1

CVE-2018-11562

  • EPSS 0.24%
  • Veröffentlicht 30.05.2018 20:29:00
  • Zuletzt bearbeitet 21.11.2024 03:43:37

An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter.

9

CVE-2018-6926

  • EPSS 0.53%
  • Veröffentlicht 12.02.2018 17:29:00
  • Zuletzt bearbeitet 21.11.2024 04:11:26

In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject...

4.9

CVE-2017-16946

  • EPSS 0.3%
  • Veröffentlicht 25.11.2017 18:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log.