CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8948
https://notcve.org/view.php?id=CVE-2018-8948
23 Mar 2018 — In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module. En versiones anteriores a la 2.4.89 de MISP, app/View/Events/resolved_attributes.ctp presenta múltiples problemas de Cross-Site Scripting (XSS) debido a un módulo MISP malicioso. • https://github.com/MISP/MISP/commit/01924cd948dbceb8391be671dab672e9f4a0ffe8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8949
https://notcve.org/view.php?id=CVE-2018-8949
23 Mar 2018 — An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an existing attribute. Se ha descubierto un problema en app/Model/Attribute.php, en versiones anteriores a la 2.4.89 de MISP. Existe un error crítico de integridad de API que podría permitir a los usuarios eliminar atributos de otros eventos.... • https://github.com/MISP/MISP/commit/37720c38d6c617439df0a13e9396fcb26345dadd • CWE-749: Exposed Dangerous Method or Function •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16946
https://notcve.org/view.php?id=CVE-2017-16946
25 Nov 2017 — The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log. La función admin_edit en app/Controller/UsersController.php en MISP 2.4.82 gestiona de manera incorrecta el campo enable_password, lo que permite que administradores descubran una contraseña hasheada mediante la lectura del registro de auditoría. • https://github.com/MISP/MISP/commit/7d5890b2fc63285f010d5845913894dd71cf232c • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16802
https://notcve.org/view.php?id=CVE-2017-16802
13 Nov 2017 — In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added. En la función sharingGroupPopulateOrganisations en app/webroot/js/misp.js en MISP 2.4.82 existe XSS mediante un nombre de organización añadido manualmente. • https://github.com/MISP/MISP/commit/a659664447a7b2a383cb9e0f6b43dcb43ec69194 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •