CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-58128
https://notcve.org/view.php?id=CVE-2024-58128
28 Mar 2025 — In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link. • https://github.com/MISP/MISP/commit/33a1eb66408e16a7535b2bae48303efd9501a26a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-58129
https://notcve.org/view.php?id=CVE-2024-58129
28 Mar 2025 — In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page. • https://github.com/MISP/MISP/commit/09a43870e733f79ffa33753ddc7bce3cbb5a5647 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-58130
https://notcve.org/view.php?id=CVE-2024-58130
28 Mar 2025 — In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses. • https://github.com/MISP/MISP/commit/f08a2eaec25f0212c22b225c0b654bd60d089ef9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-57969
https://notcve.org/view.php?id=CVE-2024-57969
14 Feb 2025 — app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search. • https://github.com/MISP/MISP/commit/4f27f83a775aba4d3cca9255f69c3c9998b7df7f • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46918
https://notcve.org/view.php?id=CVE-2024-46918
15 Sep 2024 — app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org. • https://github.com/MISP/MISP/commit/3a5227d7b3d4518ac109af61979a00145a0de6fa • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45509
https://notcve.org/view.php?id=CVE-2024-45509
01 Sep 2024 — In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin. En MISP hasta 2.4.196, app/Controller/BookmarksController.php no restringe adecuadamente el acceso a los datos de marcadores en el caso en que el usuario no sea un administrador de la organización. • https://github.com/MISP/MISP/commit/3f3b9a574f349182a545636e12efa39267e9db04 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29858
https://notcve.org/view.php?id=CVE-2024-29858
21 Mar 2024 — In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload. En MISP anterior a 2.4.187, __uploadLogo en app/Controller/OrganisationsController.php no verifica correctamente si hay una carga de logotipo válida. • https://github.com/MISP/MISP/commit/6a2986be6aad6b37858b4869e238f517b295c111 • CWE-616: Incomplete Identification of Uploaded File Variables (PHP) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29859
https://notcve.org/view.php?id=CVE-2024-29859
21 Mar 2024 — In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload. En MISP anterior a 2.4.187, add_misp_export en app/Controller/EventsController.php no verifica correctamente si hay una carga de archivo válida. • https://github.com/MISP/MISP/commit/238010bfd004680757b324cba0c6344f77a25399 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25674
https://notcve.org/view.php?id=CVE-2024-25674
09 Feb 2024 — An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type. Se descubrió un problema en MISP antes de la versión 2.4.184. La carga del logotipo de la organización no es segura debido a la falta de comprobaciones de la extensión del archivo y el tipo MIME. • https://github.com/MISP/MISP/commit/312d2d5422235235ddd211dcb6bb5bb09c07791f • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25675
https://notcve.org/view.php?id=CVE-2024-25675
09 Feb 2024 — An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp. Se descubrió un problema en MISP antes de la versión 2.4.184. Un cliente no necesita utilizar POST para iniciar un proceso de generación de exportaciones. • https://github.com/MISP/MISP/commit/0ac2468c2896f4be4ef9219cfe02bff164411594 •