CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12794
https://notcve.org/view.php?id=CVE-2019-12794
11 Jun 2019 — An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host organization of an instance creates organization admins. An organization admin could set a password manually for the site admin or simply use the API key of the site admin to impersonate them. The potential for abuse only occurs when the host o... • https://github.com/MISP/MISP/commit/36b43f1306873cff87b7aa30cdc1a30b38c9c16a • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11814
https://notcve.org/view.php?id=CVE-2019-11814
08 May 2019 — An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot. Se descubrió un problema en app/webroot/js/misp.js en el PSIM versiones anteriores a 2.4.107. Hay XSS persistente a través de los nombres de las imágenes en los títulos, como lo demuestra una captura de pantalla. • https://github.com/MISP/MISP/commit/62f15433e42fb92e45bd57dd6fc0c0bf53deb6fc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11813
https://notcve.org/view.php?id=CVE-2019-11813
08 May 2019 — An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links. Fue encontrado un problema en el archivo app/View/Elements/Events/View/value_field.ctp en MISP anterior a la versión 2.4.107. Se presenta un XSS persistente por medio de los atributos tipo Link con enlances javascript://. • https://github.com/MISP/MISP/commit/6f6fb678ca07c80cb7d2bdfe5cb0313bb71bd487 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11812
https://notcve.org/view.php?id=CVE-2019-11812
08 May 2019 — A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link. Un problema XSS persistente se descubrió en el archivo app/View/Helper/CommandHelper.php en MISP anterior a la versión 2.4.107 un JavaScript puede ser insertado en la interfaz discussion y puede ser activado haciendo clic sobre el enlace. • https://github.com/MISP/MISP/commit/3a085a6ceea00b3ab674a984dd56c1846ef775ff • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10254
https://notcve.org/view.php?id=CVE-2019-10254
28 Mar 2019 — In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability. En MISP, en versiones anteriores a la 2.4.105, la plantilla de diseño por defecto "app/View/Layouts/default.ctp" tiene una vulnerabilidad de XSS reflejado. • https://github.com/MISP/MISP/commit/586cca384be6710b03e14bcbeb7588c1772604ec • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9482
https://notcve.org/view.php?id=CVE-2019-9482
01 Mar 2019 — In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only). En la versión 2.4.102 de MISP, un usuario autenticado puede ver sightings para los que no deberían ser eligibles. Su explotación requiere acceso al evento que ha recibido dicho sighting. • https://github.com/MISP/MISP/commit/c69969329d197bcdd04832b03310fa73f4eb7155 • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 44%CPEs: 1EXPL: 2CVE-2018-19908 – MISP 2.4.97 - SQL Command Execution via Command Injection in STIX Module
https://notcve.org/view.php?id=CVE-2018-19908
06 Dec 2018 — An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import. Vulnerabilidad de escalado de privilegios en Microsoft Windows Client en McAfee True Key (TK) 5.1.230.7 permite que usuarios locales ejecuten código arbitrario mediante malware especialmente ... • https://packetstorm.news/files/id/151716 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12649
https://notcve.org/view.php?id=CVE-2018-12649
22 Jun 2018 — An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests. Se ha descubierto un problema en app/Controller/UsersController.php, en MISP 2.4.92. Un adversario puede omitir la protección de fuerza bruta mediante el uso de un método HTTP PUT en lugar de un método HTTP POST en la parte de inicio de sesión, ya qu... • https://github.com/MISP/MISP/commit/6ffacc1e239930e0e8464d0ca16e432e26cf36a9 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11562
https://notcve.org/view.php?id=CVE-2018-11562
30 May 2018 — An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter. Se ha descubierto un problema en MISP 2.4.91. Una vulnerabilidad en app/View/Elements/eventattribute.ctp permite Cross-Site Scripting (XSS) reflejado si un usuario hace clic en un enlace malicioso para una vista de eventos y luego hace clic en el filtro rápido de atributos eliminados... • https://github.com/MISP/MISP/commit/10080096879d1076756f62760d6daf582b6db722 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11245
https://notcve.org/view.php?id=CVE-2018-11245
18 May 2018 — app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes. app/webroot/js/misp.js en MISP 2.4.91 tiene Cross-Site Scripting (XSS) basado en DOM con atributos de tipo cortex. • https://github.com/MISP/MISP/commit/5efc07b12f82301a6086fd3433fedd69fe7119d3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •