CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10254
https://notcve.org/view.php?id=CVE-2019-10254
28 Mar 2019 — In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability. En MISP, en versiones anteriores a la 2.4.105, la plantilla de diseño por defecto "app/View/Layouts/default.ctp" tiene una vulnerabilidad de XSS reflejado. • https://github.com/MISP/MISP/commit/586cca384be6710b03e14bcbeb7588c1772604ec • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9482
https://notcve.org/view.php?id=CVE-2019-9482
01 Mar 2019 — In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only). En la versión 2.4.102 de MISP, un usuario autenticado puede ver sightings para los que no deberían ser eligibles. Su explotación requiere acceso al evento que ha recibido dicho sighting. • https://github.com/MISP/MISP/commit/c69969329d197bcdd04832b03310fa73f4eb7155 • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 44%CPEs: 1EXPL: 2CVE-2018-19908 – MISP 2.4.97 - SQL Command Execution via Command Injection in STIX Module
https://notcve.org/view.php?id=CVE-2018-19908
06 Dec 2018 — An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import. Vulnerabilidad de escalado de privilegios en Microsoft Windows Client en McAfee True Key (TK) 5.1.230.7 permite que usuarios locales ejecuten código arbitrario mediante malware especialmente ... • https://packetstorm.news/files/id/151716 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12649
https://notcve.org/view.php?id=CVE-2018-12649
22 Jun 2018 — An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests. Se ha descubierto un problema en app/Controller/UsersController.php, en MISP 2.4.92. Un adversario puede omitir la protección de fuerza bruta mediante el uso de un método HTTP PUT en lugar de un método HTTP POST en la parte de inicio de sesión, ya qu... • https://github.com/MISP/MISP/commit/6ffacc1e239930e0e8464d0ca16e432e26cf36a9 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11562
https://notcve.org/view.php?id=CVE-2018-11562
30 May 2018 — An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter. Se ha descubierto un problema en MISP 2.4.91. Una vulnerabilidad en app/View/Elements/eventattribute.ctp permite Cross-Site Scripting (XSS) reflejado si un usuario hace clic en un enlace malicioso para una vista de eventos y luego hace clic en el filtro rápido de atributos eliminados... • https://github.com/MISP/MISP/commit/10080096879d1076756f62760d6daf582b6db722 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11245
https://notcve.org/view.php?id=CVE-2018-11245
18 May 2018 — app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes. app/webroot/js/misp.js en MISP 2.4.91 tiene Cross-Site Scripting (XSS) basado en DOM con atributos de tipo cortex. • https://github.com/MISP/MISP/commit/5efc07b12f82301a6086fd3433fedd69fe7119d3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8948
https://notcve.org/view.php?id=CVE-2018-8948
23 Mar 2018 — In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module. En versiones anteriores a la 2.4.89 de MISP, app/View/Events/resolved_attributes.ctp presenta múltiples problemas de Cross-Site Scripting (XSS) debido a un módulo MISP malicioso. • https://github.com/MISP/MISP/commit/01924cd948dbceb8391be671dab672e9f4a0ffe8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8949
https://notcve.org/view.php?id=CVE-2018-8949
23 Mar 2018 — An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an existing attribute. Se ha descubierto un problema en app/Model/Attribute.php, en versiones anteriores a la 2.4.89 de MISP. Existe un error crítico de integridad de API que podría permitir a los usuarios eliminar atributos de otros eventos.... • https://github.com/MISP/MISP/commit/37720c38d6c617439df0a13e9396fcb26345dadd • CWE-749: Exposed Dangerous Method or Function •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6926
https://notcve.org/view.php?id=CVE-2018-6926
12 Feb 2018 — In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by the setting being only accessible to the site administrator. En app/Controller/ServersController.php en MISP 2.4.87, una opción del servidor permitía el reemplazo de una variable de ruta en ciertos sistemas Red He... • https://github.com/MISP/MISP/commit/0a2aa9d52492d960b9a161160acedbe9caaa4126 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16946
https://notcve.org/view.php?id=CVE-2017-16946
25 Nov 2017 — The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log. La función admin_edit en app/Controller/UsersController.php en MISP 2.4.82 gestiona de manera incorrecta el campo enable_password, lo que permite que administradores descubran una contraseña hasheada mediante la lectura del registro de auditoría. • https://github.com/MISP/MISP/commit/7d5890b2fc63285f010d5845913894dd71cf232c • CWE-532: Insertion of Sensitive Information into Log File •