Misp: >> Misp >> 2.3.101 Security Vulnerabilities
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36.
CVSS Score
8.8
EPSS Score
0.001
Published
2026-04-09
In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.
CVSS Score
5.4
EPSS Score
0.001
Published
2025-12-15
In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link.
CVSS Score
5.5
EPSS Score
0.002
Published
2025-03-28
In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page.
CVSS Score
5.5
EPSS Score
0.002
Published
2025-03-28
In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses.
CVSS Score
7.2
EPSS Score
0.002
Published
2025-03-28
app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.
CVSS Score
4.3
EPSS Score
0.001
Published
2025-02-14
app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.
CVSS Score
4.9
EPSS Score
0.001
Published
2024-09-15
In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-09-01
In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-03-21
In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-03-21
Page 1