CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14286
https://notcve.org/view.php?id=CVE-2019-14286
27 Jul 2019 — In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability. En el archivo app/webroot/js/event-graph.js en MISP versión 2.4.111, se presenta una vulnerabilidad de tipo XSS almacenado en la visualización de gráficos de eventos cuando un usuario alterna la visualización de gráficos de eventos. Se necesita diseñar un evento MISP malicioso para d... • https://github.com/MISP/MISP/commit/26bedd8a68c32a2f14460a8eac2a9fb09923392b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 2%CPEs: 1EXPL: 0CVE-2019-12868
https://notcve.org/view.php?id=CVE-2019-12868
17 Jun 2019 — app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization. El archivo app/Model/Server.php en MISP versión 2.4.109 permite la ejecución de comandos remota por parte de un super administrador porque la función file_exists de PHP se utiliza con entradas controladas por el usuario, y las URL phar:// activan la deserialización. • https://github.com/MISP/MISP/commit/c42c5fe92783dd306b7600db1f6a25324445b40c • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12794
https://notcve.org/view.php?id=CVE-2019-12794
11 Jun 2019 — An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host organization of an instance creates organization admins. An organization admin could set a password manually for the site admin or simply use the API key of the site admin to impersonate them. The potential for abuse only occurs when the host o... • https://github.com/MISP/MISP/commit/36b43f1306873cff87b7aa30cdc1a30b38c9c16a • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11814
https://notcve.org/view.php?id=CVE-2019-11814
08 May 2019 — An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot. Se descubrió un problema en app/webroot/js/misp.js en el PSIM versiones anteriores a 2.4.107. Hay XSS persistente a través de los nombres de las imágenes en los títulos, como lo demuestra una captura de pantalla. • https://github.com/MISP/MISP/commit/62f15433e42fb92e45bd57dd6fc0c0bf53deb6fc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11813
https://notcve.org/view.php?id=CVE-2019-11813
08 May 2019 — An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links. Fue encontrado un problema en el archivo app/View/Elements/Events/View/value_field.ctp en MISP anterior a la versión 2.4.107. Se presenta un XSS persistente por medio de los atributos tipo Link con enlances javascript://. • https://github.com/MISP/MISP/commit/6f6fb678ca07c80cb7d2bdfe5cb0313bb71bd487 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11812
https://notcve.org/view.php?id=CVE-2019-11812
08 May 2019 — A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link. Un problema XSS persistente se descubrió en el archivo app/View/Helper/CommandHelper.php en MISP anterior a la versión 2.4.107 un JavaScript puede ser insertado en la interfaz discussion y puede ser activado haciendo clic sobre el enlace. • https://github.com/MISP/MISP/commit/3a085a6ceea00b3ab674a984dd56c1846ef775ff • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10254
https://notcve.org/view.php?id=CVE-2019-10254
28 Mar 2019 — In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability. En MISP, en versiones anteriores a la 2.4.105, la plantilla de diseño por defecto "app/View/Layouts/default.ctp" tiene una vulnerabilidad de XSS reflejado. • https://github.com/MISP/MISP/commit/586cca384be6710b03e14bcbeb7588c1772604ec • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9482
https://notcve.org/view.php?id=CVE-2019-9482
01 Mar 2019 — In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only). En la versión 2.4.102 de MISP, un usuario autenticado puede ver sightings para los que no deberían ser eligibles. Su explotación requiere acceso al evento que ha recibido dicho sighting. • https://github.com/MISP/MISP/commit/c69969329d197bcdd04832b03310fa73f4eb7155 • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 44%CPEs: 1EXPL: 2CVE-2018-19908 – MISP 2.4.97 - SQL Command Execution via Command Injection in STIX Module
https://notcve.org/view.php?id=CVE-2018-19908
06 Dec 2018 — An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import. Vulnerabilidad de escalado de privilegios en Microsoft Windows Client en McAfee True Key (TK) 5.1.230.7 permite que usuarios locales ejecuten código arbitrario mediante malware especialmente ... • https://packetstorm.news/files/id/151716 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12649
https://notcve.org/view.php?id=CVE-2018-12649
22 Jun 2018 — An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests. Se ha descubierto un problema en app/Controller/UsersController.php, en MISP 2.4.92. Un adversario puede omitir la protección de fuerza bruta mediante el uso de un método HTTP PUT en lugar de un método HTTP POST en la parte de inicio de sesión, ya qu... • https://github.com/MISP/MISP/commit/6ffacc1e239930e0e8464d0ca16e432e26cf36a9 • CWE-307: Improper Restriction of Excessive Authentication Attempts •