Sami Mokaddem

22 exploits Active since Feb 2022
CVE-2022-25321 WRITEUP MEDIUM WRITEUP
Cerebrate < 1.4 - XSS
An issue was discovered in Cerebrate through 1.4. XSS could occur in the bookmarks component.
CVSS 6.1
CVE-2022-42724 WRITEUP MEDIUM WRITEUP
Misp-project Malware Information Shar... - Incorrect Authorization
app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have).
CVSS 4.3
CVE-2023-24026 WRITEUP MEDIUM WRITEUP
MISP <2.4.167 - XSS
In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.
CVSS 6.1
CVE-2023-24027 WRITEUP MEDIUM WRITEUP
MISP <2.4.167 - XSS
In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.
CVSS 6.1
CVE-2023-24028 WRITEUP CRITICAL WRITEUP
MISP <2.4.167 - Privilege Escalation
In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.
CVSS 9.8
CVE-2023-24070 WRITEUP MEDIUM WRITEUP
MISP <2.4.167 - XSS
app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field.
CVSS 6.1
CVE-2023-26468 WRITEUP CRITICAL WRITEUP
Cerebrate 1.12 - Info Disclosure
Cerebrate 1.12 does not properly consider organisation_id during creation of API keys.
CVSS 9.1
CVE-2023-28606 WRITEUP MEDIUM WRITEUP
MISP <2.4.169 - XSS
js/event-graph.js in MISP before 2.4.169 allows XSS via event-graph node tooltips.
CVSS 6.1
CVE-2023-28607 WRITEUP MEDIUM WRITEUP
MISP <2.4.169 - XSS
js/event-graph.js in MISP before 2.4.169 allows XSS via the event-graph relationship tooltip.
CVSS 6.1
CVE-2023-28883 WRITEUP CRITICAL WRITEUP
Cerebrate 1.13 - SQL Injection
In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint.
CVSS 9.8
CVE-2023-28884 WRITEUP MEDIUM WRITEUP
MISP 2.4.169 - XSS
In MISP 2.4.169, app/Lib/Tools/CustomPaginationTool.php allows XSS in the community index.
CVSS 6.1
CVE-2023-37307 WRITEUP MEDIUM WRITEUP
Misp-project Malware Information Sharing Platform < 2.4.172 - XSS
In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclusions, and Layouts.
CVSS 5.4
CVE-2023-40224 WRITEUP MEDIUM WRITEUP
Misp - XSS
MISP 2.4.174 allows XSS in app/View/Events/index.ctp.
CVSS 6.1
CVE-2023-41908 WRITEUP MEDIUM WRITEUP
Cerebrate < 1.15 - Missing Authorization
Cerebrate before 1.15 lacks the Secure attribute for the session cookie.
CVSS 5.3
CVE-2023-49926 WRITEUP MEDIUM WRITEUP
Misp < 2.4.179 - XSS
app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget.
CVSS 6.1
CVE-2024-25674 WRITEUP CRITICAL WRITEUP
Misp < 2.4.184 - Unrestricted File Upload
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.
CVSS 9.8
CVE-2024-25675 WRITEUP CRITICAL WRITEUP
MISP <2.4.184 - Info Disclosure
An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp.
CVSS 9.8
CVE-2024-46918 WRITEUP MEDIUM WRITEUP
Misp < 2.4.198 - Incorrect Authorization
app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.
CVSS 4.9
CVE-2024-54674 WRITEUP MEDIUM WRITEUP
MISP <2.5.2 - XSS
app/View/GalaxyClusters/cluster_export_misp_galaxy.ctp in MISP through 2.5.2 has stored XSS when exporting custom clusters into the misp-galaxy format.
CVSS 6.1
CVE-2024-54675 WRITEUP MEDIUM WRITEUP
MISP <2.5.2 - XSS
app/webroot/js/workflows-editor/workflows-editor.js in MISP through 2.5.2 has stored XSS in the editor interface for an ad-hoc workflow.
CVSS 6.1
CVE-2025-66385 WRITEUP CRITICAL WRITEUP
Cerebrate <1.30 - Privilege Escalation
UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields in the edit request.
CVE-2025-66386 WRITEUP MEDIUM WRITEUP
MISP <2.5.27 - Path Traversal
app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin.
CVSS 4.1