CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24070
https://notcve.org/view.php?id=CVE-2023-24070
23 Jan 2023 — app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field. app/View/AuthKeys/authkey_display.ctp en MISP hasta 2.4.167 tiene un XSS en authkey agregado a través de un campo Referer. • https://github.com/MISP/MISP/commit/f7238fe5e71ac065daa43c8607d02f8ac682f18f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24026
https://notcve.org/view.php?id=CVE-2023-24026
20 Jan 2023 — In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload. En MISP 2.4.167, app/webroot/js/event-graph.js tiene una vulnerabilidad XSS a través de un payload de vista previa del gráfico de eventos. • https://github.com/MISP/MISP/commit/a46f794a136001101cbec84fccf3cc824e983493 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24028
https://notcve.org/view.php?id=CVE-2023-24028
20 Jan 2023 — In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function. En MISP 2.4.167, app/Controller/Component/ACLComponent.php tiene un control de acceso incorrecto para la función de importación en decadencia. • https://github.com/MISP/MISP/commit/93bf15d3bd703a32ebfe86cb6c1c9b735cf23e30 • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47928
https://notcve.org/view.php?id=CVE-2022-47928
22 Dec 2022 — In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp. En MISP anterior a 2.4.167, hay XSS en las cargas de archivos de plantilla en app/View/Templates/upload_file.ctp. • https://github.com/MISP/MISP/commit/684d3e51398d4ea032b06fa4a1cd2bdf7d8b0ede • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-42724
https://notcve.org/view.php?id=CVE-2022-42724
10 Oct 2022 — app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have). El archivo app/Controller/UsersController.php en MISP versiones anteriores a 2.4.164, permite a atacantes detectar los nombres de los roles (esta es una información que sólo el administrador del sitio debería tener) • https://github.com/MISP/MISP/commit/934b9cd4fc6d6378ad349ea630ad9f1319ac82f5 • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11245
https://notcve.org/view.php?id=CVE-2018-11245
18 May 2018 — app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes. app/webroot/js/misp.js en MISP 2.4.91 tiene Cross-Site Scripting (XSS) basado en DOM con atributos de tipo cortex. • https://github.com/MISP/MISP/commit/5efc07b12f82301a6086fd3433fedd69fe7119d3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8948
https://notcve.org/view.php?id=CVE-2018-8948
23 Mar 2018 — In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module. En versiones anteriores a la 2.4.89 de MISP, app/View/Events/resolved_attributes.ctp presenta múltiples problemas de Cross-Site Scripting (XSS) debido a un módulo MISP malicioso. • https://github.com/MISP/MISP/commit/01924cd948dbceb8391be671dab672e9f4a0ffe8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8949
https://notcve.org/view.php?id=CVE-2018-8949
23 Mar 2018 — An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an existing attribute. Se ha descubierto un problema en app/Model/Attribute.php, en versiones anteriores a la 2.4.89 de MISP. Existe un error crítico de integridad de API que podría permitir a los usuarios eliminar atributos de otros eventos.... • https://github.com/MISP/MISP/commit/37720c38d6c617439df0a13e9396fcb26345dadd • CWE-749: Exposed Dangerous Method or Function •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16802
https://notcve.org/view.php?id=CVE-2017-16802
13 Nov 2017 — In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added. En la función sharingGroupPopulateOrganisations en app/webroot/js/misp.js en MISP 2.4.82 existe XSS mediante un nombre de organización añadido manualmente. • https://github.com/MISP/MISP/commit/a659664447a7b2a383cb9e0f6b43dcb43ec69194 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15216
https://notcve.org/view.php?id=CVE-2017-15216
10 Oct 2017 — MISP before 2.4.81 has a potential reflected XSS in a quickDelete action that is used to delete a sighting, related to app/View/Sightings/ajax/quickDeleteConfirmationForm.ctp and app/webroot/js/misp.js. MISP en versiones anteriores a 2.4.81 tiene XSS reflejado potencial en una acción quickDelete que se usa para borrar un sighting, relacionado con app/View/Sightings/ajax/quickDeleteConfirmationForm.ctp y app/webroot/js/misp.js. • https://github.com/MISP/MISP/commit/ca6f4a783a6ba65532dc8767446bda44773ec627 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •