iglocska

68 exploits Active since Sep 2016
CVE-2020-13153 WRITEUP MEDIUM WRITEUP
MISP <2.4.126 - XSS
app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view.
CVSS 6.1
CVE-2020-14969 WRITEUP HIGH WRITEUP
MISP 2.4.127 - Info Disclosure
app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute.
CVSS 7.5
CVE-2020-15711 WRITEUP HIGH WRITEUP
Misp < 2.4.129 - CSRF
In MISP before 2.4.129, setting a favourite homepage was not CSRF protected.
CVSS 8.8
CVE-2020-24085 WRITEUP MEDIUM WRITEUP
MISP <2.4.128 - XSS
A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code.
CVSS 6.1
CVE-2020-28043 WRITEUP HIGH WRITEUP
Misp < 2.4.133 - SSRF
MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL.
CVSS 7.5
CVE-2020-8890 WRITEUP MEDIUM WRITEUP
MISP <2.4.121 - Info Disclosure
An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests.
CVSS 5.9
CVE-2020-8891 WRITEUP MEDIUM WRITEUP
MISP <2.4.121 - Info Disclosure
An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid requests.
CVSS 5.9
CVE-2020-8892 WRITEUP HIGH WRITEUP
MISP <2.4.121 - DoS
An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests.
CVSS 8.1
CVE-2020-8894 WRITEUP MEDIUM WRITEUP
MISP <2.4.121 - Info Disclosure
An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php.
CVSS 6.5
CVE-2021-25323 WRITEUP CRITICAL WRITEUP
MISP 2.4.136 - Info Disclosure
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.
CVSS 9.1
CVE-2021-25324 WRITEUP MEDIUM WRITEUP
MISP 2.4.136 - XSS
MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.
CVSS 6.1
CVE-2021-25325 WRITEUP MEDIUM WRITEUP
MISP 2.4.136 - XSS
MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs.
CVSS 6.1
CVE-2021-27904 WRITEUP MEDIUM WRITEUP
MISP <2.4.139 - Info Disclosure
An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors.
CVSS 5.5
CVE-2021-31780 WRITEUP HIGH WRITEUP
Misp - Information Disclosure
In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is reused.
CVSS 7.5
CVE-2021-3184 WRITEUP MEDIUM WRITEUP
Misp - XSS
MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button.
CVSS 6.1
CVE-2021-41326 WRITEUP CRITICAL WRITEUP
MISP <2.4.148 - RCE
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.
CVSS 9.8
CVE-2022-25317 WRITEUP MEDIUM WRITEUP
Cerebrate < 1.4 - XSS
An issue was discovered in Cerebrate through 1.4. genericForm allows reflected XSS in form descriptions via a user-controlled description.
CVSS 6.1
CVE-2022-25318 WRITEUP MEDIUM WRITEUP
Cerebrate < 1.4 - Incorrect Authorization
An issue was discovered in Cerebrate through 1.4. An incorrect sharing group ACL allowed an unprivileged user to edit and modify sharing groups.
CVSS 4.3
CVE-2022-25319 WRITEUP MEDIUM WRITEUP
Cerebrate <1.4 - Info Disclosure
An issue was discovered in Cerebrate through 1.4. Endpoints could be open even when not enabled.
CVSS 5.3
CVE-2022-25320 WRITEUP MEDIUM WRITEUP
Cerebrate <1.4 - Info Disclosure
An issue was discovered in Cerebrate through 1.4. Username enumeration could occur.
CVSS 5.3
CVE-2022-27244 WRITEUP MEDIUM WRITEUP
Misp < 2.4.156 - XSS
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.
CVSS 4.8
CVE-2022-29528 WRITEUP CRITICAL WRITEUP
Misp < 2.4.158 - Insecure Deserialization
An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.
CVSS 9.8
CVE-2022-29529 WRITEUP MEDIUM WRITEUP
Misp < 2.4.158 - XSS
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.
CVSS 5.4
CVE-2022-29530 WRITEUP MEDIUM WRITEUP
Misp < 2.4.158 - XSS
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.
CVSS 5.4
CVE-2022-29531 WRITEUP MEDIUM WRITEUP
Misp < 2.4.158 - XSS
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.
CVSS 5.4