Vulnerabilities > Misp Project > Misp

DATE CVE VULNERABILITY TITLE RISK
2023-01-20 CVE-2023-24026 Cross-site Scripting vulnerability in Misp-Project Misp 2.4.167
In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.
network
low complexity
misp-project CWE-79
6.1
2023-01-20 CVE-2023-24028 Unspecified vulnerability in Misp-Project Misp 2.4.167
In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.
network
low complexity
misp-project
critical
9.8
2018-05-18 CVE-2018-11245 Cross-site Scripting vulnerability in Misp-Project Misp 2.4.91
app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes.
network
low complexity
misp-project CWE-79
6.1
2018-03-23 CVE-2018-8949 Exposed Dangerous Method or Function vulnerability in Misp-Project Misp
An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89.
network
low complexity
misp-project CWE-749
5.5
2018-03-23 CVE-2018-8948 Cross-site Scripting vulnerability in Misp-Project Misp
In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module.
4.3
2017-11-13 CVE-2017-16802 Cross-site Scripting vulnerability in Misp-Project Misp 2.4.82
In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added.
3.5
2017-10-10 CVE-2017-15216 Cross-site Scripting vulnerability in Misp-Project Misp
MISP before 2.4.81 has a potential reflected XSS in a quickDelete action that is used to delete a sighting, related to app/View/Sightings/ajax/quickDeleteConfirmationForm.ctp and app/webroot/js/misp.js.
4.3
2017-09-12 CVE-2017-14337 Improper Authentication vulnerability in Misp-Project Misp
When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user management ReST API, if an external user provides X.509 certificate authentication and this API returns an empty value, the unauthenticated user can be granted access as an arbitrary user.
6.8
2017-03-21 CVE-2017-7215 Cross-site Scripting vulnerability in Misp Project Misp
Cross site scripting in some view elements in the index filter tool in app/webroot/js/misp2.4.68.js and the organisation landing page in app/View/Organisations/ajax/landingpage.ctp of MISP before 2.4.69 allows remote attackers to inject arbitrary web script or HTML.
4.3