CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12649
https://notcve.org/view.php?id=CVE-2018-12649
22 Jun 2018 — An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests. Se ha descubierto un problema en app/Controller/UsersController.php, en MISP 2.4.92. Un adversario puede omitir la protección de fuerza bruta mediante el uso de un método HTTP PUT en lugar de un método HTTP POST en la parte de inicio de sesión, ya qu... • https://github.com/MISP/MISP/commit/6ffacc1e239930e0e8464d0ca16e432e26cf36a9 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11562
https://notcve.org/view.php?id=CVE-2018-11562
30 May 2018 — An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter. Se ha descubierto un problema en MISP 2.4.91. Una vulnerabilidad en app/View/Elements/eventattribute.ctp permite Cross-Site Scripting (XSS) reflejado si un usuario hace clic en un enlace malicioso para una vista de eventos y luego hace clic en el filtro rápido de atributos eliminados... • https://github.com/MISP/MISP/commit/10080096879d1076756f62760d6daf582b6db722 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11245
https://notcve.org/view.php?id=CVE-2018-11245
18 May 2018 — app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes. app/webroot/js/misp.js en MISP 2.4.91 tiene Cross-Site Scripting (XSS) basado en DOM con atributos de tipo cortex. • https://github.com/MISP/MISP/commit/5efc07b12f82301a6086fd3433fedd69fe7119d3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8948
https://notcve.org/view.php?id=CVE-2018-8948
23 Mar 2018 — In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module. En versiones anteriores a la 2.4.89 de MISP, app/View/Events/resolved_attributes.ctp presenta múltiples problemas de Cross-Site Scripting (XSS) debido a un módulo MISP malicioso. • https://github.com/MISP/MISP/commit/01924cd948dbceb8391be671dab672e9f4a0ffe8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8949
https://notcve.org/view.php?id=CVE-2018-8949
23 Mar 2018 — An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an existing attribute. Se ha descubierto un problema en app/Model/Attribute.php, en versiones anteriores a la 2.4.89 de MISP. Existe un error crítico de integridad de API que podría permitir a los usuarios eliminar atributos de otros eventos.... • https://github.com/MISP/MISP/commit/37720c38d6c617439df0a13e9396fcb26345dadd • CWE-749: Exposed Dangerous Method or Function •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6926
https://notcve.org/view.php?id=CVE-2018-6926
12 Feb 2018 — In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by the setting being only accessible to the site administrator. En app/Controller/ServersController.php en MISP 2.4.87, una opción del servidor permitía el reemplazo de una variable de ruta en ciertos sistemas Red He... • https://github.com/MISP/MISP/commit/0a2aa9d52492d960b9a161160acedbe9caaa4126 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16946
https://notcve.org/view.php?id=CVE-2017-16946
25 Nov 2017 — The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log. La función admin_edit en app/Controller/UsersController.php en MISP 2.4.82 gestiona de manera incorrecta el campo enable_password, lo que permite que administradores descubran una contraseña hasheada mediante la lectura del registro de auditoría. • https://github.com/MISP/MISP/commit/7d5890b2fc63285f010d5845913894dd71cf232c • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16802
https://notcve.org/view.php?id=CVE-2017-16802
13 Nov 2017 — In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added. En la función sharingGroupPopulateOrganisations en app/webroot/js/misp.js en MISP 2.4.82 existe XSS mediante un nombre de organización añadido manualmente. • https://github.com/MISP/MISP/commit/a659664447a7b2a383cb9e0f6b43dcb43ec69194 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15216
https://notcve.org/view.php?id=CVE-2017-15216
10 Oct 2017 — MISP before 2.4.81 has a potential reflected XSS in a quickDelete action that is used to delete a sighting, related to app/View/Sightings/ajax/quickDeleteConfirmationForm.ctp and app/webroot/js/misp.js. MISP en versiones anteriores a 2.4.81 tiene XSS reflejado potencial en una acción quickDelete que se usa para borrar un sighting, relacionado con app/View/Sightings/ajax/quickDeleteConfirmationForm.ctp y app/webroot/js/misp.js. • https://github.com/MISP/MISP/commit/ca6f4a783a6ba65532dc8767446bda44773ec627 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14337
https://notcve.org/view.php?id=CVE-2017-14337
12 Sep 2017 — When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user management ReST API, if an external user provides X.509 certificate authentication and this API returns an empty value, the unauthenticated user can be granted access as an arbitrary user. Cuando MISP en versiones anteriores a la 2.4.80 se configura con la autenticación del certificado X.509 (CertAuth) conjuntamente con una API ReST de gestión de usuarios externos no pertenecie... • https://github.com/MISP/MISP/commit/be111a470204a974c50682054c9c7d4b94396ed9 • CWE-287: Improper Authentication •