CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-58128
https://notcve.org/view.php?id=CVE-2024-58128
28 Mar 2025 — In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link. • https://github.com/MISP/MISP/commit/33a1eb66408e16a7535b2bae48303efd9501a26a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-58129
https://notcve.org/view.php?id=CVE-2024-58129
28 Mar 2025 — In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page. • https://github.com/MISP/MISP/commit/09a43870e733f79ffa33753ddc7bce3cbb5a5647 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-58130
https://notcve.org/view.php?id=CVE-2024-58130
28 Mar 2025 — In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses. • https://github.com/MISP/MISP/commit/f08a2eaec25f0212c22b225c0b654bd60d089ef9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-57969
https://notcve.org/view.php?id=CVE-2024-57969
14 Feb 2025 — app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search. • https://github.com/MISP/MISP/commit/4f27f83a775aba4d3cca9255f69c3c9998b7df7f • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25674
https://notcve.org/view.php?id=CVE-2024-25674
09 Feb 2024 — An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type. Se descubrió un problema en MISP antes de la versión 2.4.184. La carga del logotipo de la organización no es segura debido a la falta de comprobaciones de la extensión del archivo y el tipo MIME. • https://github.com/MISP/MISP/commit/312d2d5422235235ddd211dcb6bb5bb09c07791f • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25675
https://notcve.org/view.php?id=CVE-2024-25675
09 Feb 2024 — An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp. Se descubrió un problema en MISP antes de la versión 2.4.184. Un cliente no necesita utilizar POST para iniciar un proceso de generación de exportaciones. • https://github.com/MISP/MISP/commit/0ac2468c2896f4be4ef9219cfe02bff164411594 •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50918
https://notcve.org/view.php?id=CVE-2023-50918
15 Dec 2023 — app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs. app/Controller/AuditLogsController.php en MISP anterior a 2.4.182 maneja mal las ACL para los registros de auditoría. • https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1 •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49926
https://notcve.org/view.php?id=CVE-2023-49926
03 Dec 2023 — app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget. app/Lib/Tools/EventTimelineTool.php en MISP anterior a 2.4.179 permite XSS en el widget de línea de tiempo de eventos. • https://github.com/MISP/MISP/commit/dc73287ee2000476e3a5800ded402825ca10f7e8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24026
https://notcve.org/view.php?id=CVE-2023-24026
20 Jan 2023 — In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload. En MISP 2.4.167, app/webroot/js/event-graph.js tiene una vulnerabilidad XSS a través de un payload de vista previa del gráfico de eventos. • https://github.com/MISP/MISP/commit/a46f794a136001101cbec84fccf3cc824e983493 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24027
https://notcve.org/view.php?id=CVE-2023-24027
20 Jan 2023 — In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name. En MISP 2.4.167, app/webroot/js/action_table.js permite XSS a través de un nombre de historial de red. • https://github.com/MISP/MISP/commit/72c5424034c378583d128fc1e769aae33fb1c8b9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •