mokaddem

11 exploits Active since Jul 2019
CVE-2019-14286 WRITEUP MEDIUM WRITEUP
MISP 2.4.111 - Stored Cross-Site Scripting in Event-Graph View
In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability.
CVSS 6.1
CVE-2020-10246 WRITEUP MEDIUM WRITEUP
MISP 2.4.122 - Reflected Cross-Site Scripting via URL Parameters
MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp.
CVSS 6.1
CVE-2020-10247 WRITEUP MEDIUM WRITEUP
MISP 2.4.122 - Stored Cross-Site Scripting in Sighting Popover Tool
MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp.
CVSS 6.1
CVE-2020-15411 WRITEUP CRITICAL WRITEUP
MISP 2.4.128 - Unauthenticated Arbitrary File Download via Attributes Controller
An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader.
CVSS 9.8
CVE-2020-25766 WRITEUP HIGH WRITEUP
MISP < 2.4.132 - Unauthenticated Unwanted Action via POST Form
An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login page.
CVSS 7.5
CVE-2020-28947 WRITEUP MEDIUM WRITEUP
MISP 2.4.134 - Cross-Site Scripting via Template Element Index View
In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled.
CVSS 6.1
CVE-2020-29006 WRITEUP CRITICAL WRITEUP
MISP < 2.4.135 - Missing Authorization in Galaxy Elements Controller
MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php.
CVSS 9.8
CVE-2020-8893 WRITEUP HIGH WRITEUP
MISP < 2.4.121 - Reflected Cross-Site Scripting in Galaxy View
An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp.
CVSS 7.5
CVE-2021-35502 WRITEUP CRITICAL WRITEUP
MISP 2.4.144 - Cross-Site Scripting in generic_field.ctp
app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index.
CVSS 9.8
CVE-2021-37742 WRITEUP MEDIUM WRITEUP
MISP 2.4.147 - Stored Cross-Site Scripting in Galaxy Cluster Relationship Viewer
app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships.
CVSS 5.4
CVE-2021-37743 WRITEUP MEDIUM WRITEUP
MISP 2.4.147 - Stored Cross-Site Scripting in Galaxy Cluster Elements JSON View
app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.
CVSS 5.4