CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-58128
https://notcve.org/view.php?id=CVE-2024-58128
28 Mar 2025 — In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link. • https://github.com/MISP/MISP/commit/33a1eb66408e16a7535b2bae48303efd9501a26a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-58129
https://notcve.org/view.php?id=CVE-2024-58129
28 Mar 2025 — In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page. • https://github.com/MISP/MISP/commit/09a43870e733f79ffa33753ddc7bce3cbb5a5647 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-58130
https://notcve.org/view.php?id=CVE-2024-58130
28 Mar 2025 — In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses. • https://github.com/MISP/MISP/commit/f08a2eaec25f0212c22b225c0b654bd60d089ef9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-57969
https://notcve.org/view.php?id=CVE-2024-57969
14 Feb 2025 — app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search. • https://github.com/MISP/MISP/commit/4f27f83a775aba4d3cca9255f69c3c9998b7df7f • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25674
https://notcve.org/view.php?id=CVE-2024-25674
09 Feb 2024 — An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type. Se descubrió un problema en MISP antes de la versión 2.4.184. La carga del logotipo de la organización no es segura debido a la falta de comprobaciones de la extensión del archivo y el tipo MIME. • https://github.com/MISP/MISP/commit/312d2d5422235235ddd211dcb6bb5bb09c07791f • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25675
https://notcve.org/view.php?id=CVE-2024-25675
09 Feb 2024 — An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp. Se descubrió un problema en MISP antes de la versión 2.4.184. Un cliente no necesita utilizar POST para iniciar un proceso de generación de exportaciones. • https://github.com/MISP/MISP/commit/0ac2468c2896f4be4ef9219cfe02bff164411594 •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50918
https://notcve.org/view.php?id=CVE-2023-50918
15 Dec 2023 — app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs. app/Controller/AuditLogsController.php en MISP anterior a 2.4.182 maneja mal las ACL para los registros de auditoría. • https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1 •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49926
https://notcve.org/view.php?id=CVE-2023-49926
03 Dec 2023 — app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget. app/Lib/Tools/EventTimelineTool.php en MISP anterior a 2.4.179 permite XSS en el widget de línea de tiempo de eventos. • https://github.com/MISP/MISP/commit/dc73287ee2000476e3a5800ded402825ca10f7e8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41098
https://notcve.org/view.php?id=CVE-2023-41098
23 Aug 2023 — An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit. Se ha descubierto un problema en MISP v2.4.174. En el fichero "app/Controller/DashboardsController.php" existe un problema de Cross-Site Scripting (XSS) reflejado a través del parámetro "id" al editar un panel de control. • https://github.com/MISP/MISP/commit/09fb0cba65eab9341e81f1cbebc2ae10be34a2b7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40224
https://notcve.org/view.php?id=CVE-2023-40224
10 Aug 2023 — MISP 2.4.174 allows XSS in app/View/Events/index.ctp. La versión 2.4.174 de MISP permite un XSS en app/View/Events/index.ctp. • https://github.com/MISP/MISP/commit/0274f8b6332e82317c9529b583d03897adf5883e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •