Sami Mokaddem

23 exploits Active since Feb 2022
CVE-2022-25321 WRITEUP MEDIUM WRITEUP
cerebrate < 1.4 - Cross-Site Scripting in Bookmarks Component
An issue was discovered in Cerebrate through 1.4. XSS could occur in the bookmarks component.
CVSS 6.1
CVE-2022-25321 WRITEUP MEDIUM WRITEUP
cerebrate < 1.4 - Cross-Site Scripting in Bookmarks Component
An issue was discovered in Cerebrate through 1.4. XSS could occur in the bookmarks component.
CVSS 6.1
CVE-2022-42724 WRITEUP MEDIUM WRITEUP
MISP < 2.4.164 - Incorrect Authorization in UsersController
app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have).
CVSS 4.3
CVE-2023-24026 WRITEUP MEDIUM WRITEUP
MISP 2.4.167 - Stored Cross-Site Scripting in Event-Graph Preview
In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.
CVSS 6.1
CVE-2023-24027 WRITEUP MEDIUM WRITEUP
MISP 2.4.167 - Stored Cross-Site Scripting via Network History Name
In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.
CVSS 6.1
CVE-2023-24028 WRITEUP CRITICAL WRITEUP
MISP <2.4.167 - Privilege Escalation
In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.
CVSS 9.8
CVE-2023-24070 WRITEUP MEDIUM WRITEUP
MISP < 2.4.167 - Cross-Site Scripting via Referer Field in AuthKey Add
app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field.
CVSS 6.1
CVE-2023-26468 WRITEUP CRITICAL WRITEUP
cerebrate 1.12 - Unauthenticated API Key Creation via Missing Organisation ID Check
Cerebrate 1.12 does not properly consider organisation_id during creation of API keys.
CVSS 9.1
CVE-2023-28606 WRITEUP MEDIUM WRITEUP
MISP < 2.4.169 - Cross-Site Scripting via Event-Graph Node Tooltips
js/event-graph.js in MISP before 2.4.169 allows XSS via event-graph node tooltips.
CVSS 6.1
CVE-2023-28607 WRITEUP MEDIUM WRITEUP
MISP < 2.4.169 - Cross-Site Scripting in Event-Graph Relationship Tooltip
js/event-graph.js in MISP before 2.4.169 allows XSS via the event-graph relationship tooltip.
CVSS 6.1
CVE-2023-28883 WRITEUP CRITICAL WRITEUP
Cerebrate 1.13 - Blind SQL Injection via SearchAll API Endpoint
In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint.
CVSS 9.8
CVE-2023-28884 WRITEUP MEDIUM WRITEUP
MISP 2.4.169 - Cross-Site Scripting in Community Index
In MISP 2.4.169, app/Lib/Tools/CustomPaginationTool.php allows XSS in the community index.
CVSS 6.1
CVE-2023-37307 WRITEUP MEDIUM WRITEUP
MISP < 2.4.172 - Stored Cross-Site Scripting in title_for_layout
In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclusions, and Layouts.
CVSS 5.4
CVE-2023-40224 WRITEUP MEDIUM WRITEUP
MISP 2.4.174 - Cross-Site Scripting in Events Index View
MISP 2.4.174 allows XSS in app/View/Events/index.ctp.
CVSS 6.1
CVE-2023-41908 WRITEUP MEDIUM WRITEUP
cerebrate < 1.15 - Missing Secure Attribute for Session Cookie
Cerebrate before 1.15 lacks the Secure attribute for the session cookie.
CVSS 5.3
CVE-2023-49926 WRITEUP MEDIUM WRITEUP
MISP < 2.4.179 - Cross-Site Scripting in Event Timeline Widget
app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget.
CVSS 6.1
CVE-2024-25674 WRITEUP CRITICAL WRITEUP
MISP < 2.4.184 - Unrestricted Upload of File with Dangerous Type via Organisation Logo Upload
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.
CVSS 9.8
CVE-2024-25675 WRITEUP CRITICAL WRITEUP
MISP < 2.4.184 - Unauthenticated Export Generation via GET Request
An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp.
CVSS 9.8
CVE-2024-46918 WRITEUP MEDIUM WRITEUP
MISP < 2.4.198 - Incorrect Authorization in UserLoginProfilesController
app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.
CVSS 4.9
CVE-2024-54674 WRITEUP MEDIUM WRITEUP
MISP through 2.5.2 - Stored Cross-Site Scripting in Galaxy Cluster Export
app/View/GalaxyClusters/cluster_export_misp_galaxy.ctp in MISP through 2.5.2 has stored XSS when exporting custom clusters into the misp-galaxy format.
CVSS 6.1
CVE-2024-54675 WRITEUP MEDIUM WRITEUP
MISP through 2.5.2 - Stored Cross-Site Scripting in Workflows Editor
app/webroot/js/workflows-editor/workflows-editor.js in MISP through 2.5.2 has stored XSS in the editor interface for an ad-hoc workflow.
CVSS 6.1
CVE-2025-66385 WRITEUP CRITICAL WRITEUP
Cerebrate <1.30 - Privilege Escalation
UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields in the edit request.
CVE-2025-66386 WRITEUP MEDIUM WRITEUP
MISP < 2.5.27 - Authenticated Path Traversal in EventReport Picture View
app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin.
CVSS 4.1