Search criteria
193 vulnerabilities found for MISP by MISP
CVE-2025-67906 (GCVE-0-2025-67906)
Vulnerability from nvd – Published: 2025-12-15 03:25 – Updated: 2025-12-21 01:07
VLAI?
Summary
In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67906",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T16:04:07.901652Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T16:04:11.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/franckferman/CVE-2025-67906"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"lessThan": "2.5.28",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.5.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-21T01:07:34.796Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/1f39deb572da7ecb5855e30ff3cc8cbcaa0c1054"
},
{
"url": "https://vulnerability.circl.lu/vuln/gcve-1-2025-0031"
},
{
"url": "https://github.com/franckferman/GCVE-1-2025-0030"
},
{
"url": "https://github.com/MISP/MISP/compare/v2.5.27...v2.5.28"
},
{
"url": "https://github.com/franckferman/CVE-2025-67906"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-67906",
"datePublished": "2025-12-15T03:25:46.324Z",
"dateReserved": "2025-12-15T03:25:45.994Z",
"dateUpdated": "2025-12-21T01:07:34.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66386 (GCVE-0-2025-66386)
Vulnerability from nvd – Published: 2025-11-28 00:00 – Updated: 2025-11-28 15:17
VLAI?
Summary
app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin.
Severity ?
4.1 (Medium)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T15:16:57.258479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T15:17:40.150Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"lessThan": "2.5.27",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.5.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T06:56:34.804Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/7f4a0386d38672eddc139f5735d71c3b749623ce"
},
{
"url": "https://github.com/MISP/MISP/compare/v2.5.26...v2.5.27"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-66386",
"datePublished": "2025-11-28T00:00:00.000Z",
"dateReserved": "2025-11-28T00:00:00.000Z",
"dateUpdated": "2025-11-28T15:17:40.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66384 (GCVE-0-2025-66384)
Vulnerability from nvd – Published: 2025-11-28 00:00 – Updated: 2025-11-28 15:23
VLAI?
Summary
app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name.
Severity ?
8.2 (High)
CWE
- CWE-684 - Incorrect Provision of Specified Functionality
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T15:23:40.777415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T15:23:46.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"lessThan": "2.5.24",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.5.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-684",
"description": "CWE-684 Incorrect Provision of Specified Functionality",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T06:52:41.226Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/misp/misp/commit/6867f0d3157a1959154bdad9ddac009dec6a19f5"
},
{
"url": "https://github.com/MISP/MISP/compare/v2.5.23...v2.5.24"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-66384",
"datePublished": "2025-11-28T00:00:00.000Z",
"dateReserved": "2025-11-28T00:00:00.000Z",
"dateUpdated": "2025-11-28T15:23:46.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-58130 (GCVE-0-2024-58130)
Vulnerability from nvd – Published: 2025-03-28 00:00 – Updated: 2025-03-31 16:43
VLAI?
Summary
In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-58130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T16:42:54.092415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T16:43:01.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"lessThan": "2.4.193",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.4.193",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T22:16:15.136Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/MISP/MISP/releases/tag/v2.4.193"
},
{
"url": "https://github.com/MISP/MISP/commit/f08a2eaec25f0212c22b225c0b654bd60d089ef9"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-58130",
"datePublished": "2025-03-28T00:00:00.000Z",
"dateReserved": "2025-03-28T00:00:00.000Z",
"dateUpdated": "2025-03-31T16:43:01.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-67906 (GCVE-0-2025-67906)
Vulnerability from cvelistv5 – Published: 2025-12-15 03:25 – Updated: 2025-12-21 01:07
VLAI?
Summary
In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67906",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T16:04:07.901652Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T16:04:11.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/franckferman/CVE-2025-67906"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"lessThan": "2.5.28",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.5.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-21T01:07:34.796Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/1f39deb572da7ecb5855e30ff3cc8cbcaa0c1054"
},
{
"url": "https://vulnerability.circl.lu/vuln/gcve-1-2025-0031"
},
{
"url": "https://github.com/franckferman/GCVE-1-2025-0030"
},
{
"url": "https://github.com/MISP/MISP/compare/v2.5.27...v2.5.28"
},
{
"url": "https://github.com/franckferman/CVE-2025-67906"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-67906",
"datePublished": "2025-12-15T03:25:46.324Z",
"dateReserved": "2025-12-15T03:25:45.994Z",
"dateUpdated": "2025-12-21T01:07:34.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66386 (GCVE-0-2025-66386)
Vulnerability from cvelistv5 – Published: 2025-11-28 00:00 – Updated: 2025-11-28 15:17
VLAI?
Summary
app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin.
Severity ?
4.1 (Medium)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T15:16:57.258479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T15:17:40.150Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"lessThan": "2.5.27",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.5.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T06:56:34.804Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/7f4a0386d38672eddc139f5735d71c3b749623ce"
},
{
"url": "https://github.com/MISP/MISP/compare/v2.5.26...v2.5.27"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-66386",
"datePublished": "2025-11-28T00:00:00.000Z",
"dateReserved": "2025-11-28T00:00:00.000Z",
"dateUpdated": "2025-11-28T15:17:40.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66384 (GCVE-0-2025-66384)
Vulnerability from cvelistv5 – Published: 2025-11-28 00:00 – Updated: 2025-11-28 15:23
VLAI?
Summary
app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name.
Severity ?
8.2 (High)
CWE
- CWE-684 - Incorrect Provision of Specified Functionality
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T15:23:40.777415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T15:23:46.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"lessThan": "2.5.24",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.5.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-684",
"description": "CWE-684 Incorrect Provision of Specified Functionality",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T06:52:41.226Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/misp/misp/commit/6867f0d3157a1959154bdad9ddac009dec6a19f5"
},
{
"url": "https://github.com/MISP/MISP/compare/v2.5.23...v2.5.24"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-66384",
"datePublished": "2025-11-28T00:00:00.000Z",
"dateReserved": "2025-11-28T00:00:00.000Z",
"dateUpdated": "2025-11-28T15:23:46.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
GCVE-1-2025-0040
Vulnerability from gna-1 – Published: 2025-12-13 08:44 – Updated: 2025-12-13 08:44
VLAI?
Summary
A cross-site scripting (XSS) vulnerability was identified in the event index table rendering logic related to organisation logos. The issue could allow attacker-controlled organisation names to be interpreted as executable HTML/JavaScript in a victim’s browser.
The vulnerability was caused by unsafe DOM manipulation in the onError handler of <img> elements used to display organisation logos in the event index view. When an organisation logo failed to load, the application replaced the image element using outerHTML, directly injecting the organisation name into the DOM. Under certain conditions, this could allow maliciously crafted organisation names to trigger XSS.
An authenticated attacker able to control organisation metadata (such as the organisation name) could potentially execute arbitrary JavaScript in the context of another user viewing the event index page. This may lead to session hijacking, UI manipulation, or other client-side attacks.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
🕵️♂️ Jeroen Pinoy 🐞
Andras Iklody (the Insomniac MISP lead dev)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.29",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA cross-site scripting (XSS) vulnerability was identified in the event index table rendering logic related to organisation logos. The issue could allow attacker-controlled organisation names to be interpreted as executable HTML/JavaScript in a victim\u2019s browser.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe vulnerability was caused by unsafe DOM manipulation in the \u003ccode\u003eonError\u003c/code\u003e handler of \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e elements used to display organisation logos in the event index view. When an organisation logo failed to load, the application replaced the image element using \u003ccode\u003eouterHTML\u003c/code\u003e, directly injecting the organisation name into the DOM. Under certain conditions, this could allow maliciously crafted organisation names to trigger XSS.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAn authenticated attacker able to control organisation metadata (such as the organisation name) could potentially execute arbitrary JavaScript in the context of another user viewing the event index page. This may lead to session hijacking, UI manipulation, or other client-side attacks.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A cross-site scripting (XSS) vulnerability was identified in the event index table rendering logic related to organisation logos. The issue could allow attacker-controlled organisation names to be interpreted as executable HTML/JavaScript in a victim\u2019s browser.\n\n\n\n\nThe vulnerability was caused by unsafe DOM manipulation in the onError handler of \u003cimg\u003e elements used to display organisation logos in the event index view. When an organisation logo failed to load, the application replaced the image element using outerHTML, directly injecting the organisation name into the DOM. Under certain conditions, this could allow maliciously crafted organisation names to trigger XSS.\n\n\n\n\nAn authenticated attacker able to control organisation metadata (such as the organisation name) could potentially execute arbitrary JavaScript in the context of another user viewing the event index page. This may lead to session hijacking, UI manipulation, or other client-side attacks."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/AU:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/78b4859f1c033e4a53cf7ba049c39c056b6810ff"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-12-13T08:44:32.378924Z",
"dateUpdated": "2025-12-13T08:44:32.378924Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0040",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-12-13T08:44:32.378924Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0039
Vulnerability from gna-1 – Published: 2025-12-10 14:33 – Updated: 2025-12-10 14:33
VLAI?
Title
XSS Reintroduced in MISP Dashboard World Map Widget Due to Restored Widget Configuration Functionality
Summary
A cross-site scripting (XSS) vulnerability was identified in the MISP dashboard subsystem, specifically in the World Map dashboard widget and the supporting JavaScript logic that handles widget configuration and rendering.
A prior XSS fix related to unsafe handling of widget configuration and tooltip rendering had been in place, but the upgrade to GridStack 1.2 unintentionally broke dashboard widget configuration persistence. When the patch restored correct widget config handling, the previously mitigated XSS vector became reachable again.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
🕵️♂️ Jeroen Pinoy 🐞
Andras Iklody (the Insomniac MISP lead dev)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.27",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA cross-site scripting (XSS) vulnerability was identified in the MISP dashboard subsystem, specifically in the \u003cstrong\u003eWorld Map dashboard widget\u003c/strong\u003e and the supporting JavaScript logic that handles widget configuration and rendering.\u003c/p\u003e\n\u003cp\u003eA prior XSS fix related to unsafe handling of widget configuration and tooltip rendering had been in place, but the upgrade to \u003cstrong\u003eGridStack 1.2\u003c/strong\u003e unintentionally broke dashboard widget configuration persistence. When the patch restored correct widget config handling, the previously mitigated XSS vector became reachable again.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A cross-site scripting (XSS) vulnerability was identified in the MISP dashboard subsystem, specifically in the World Map dashboard widget and the supporting JavaScript logic that handles widget configuration and rendering.\n\n\nA prior XSS fix related to unsafe handling of widget configuration and tooltip rendering had been in place, but the upgrade to GridStack 1.2 unintentionally broke dashboard widget configuration persistence. When the patch restored correct widget config handling, the previously mitigated XSS vector became reachable again."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/e651e606f8a2cb2504fc21f2c453395666b68d4f"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS Reintroduced in MISP Dashboard World Map Widget Due to Restored Widget Configuration Functionality",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-12-10T14:33:52.856734Z",
"dateUpdated": "2025-12-10T14:33:52.856734Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0039",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-12-10T14:33:52.856734Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0038
Vulnerability from gna-1 – Published: 2025-12-10 14:10 – Updated: 2025-12-10 14:16
VLAI?
Title
Reflected XSS in MISP Template Tag Removal and MISP Admin User Filter Handling
Summary
A cross-site scripting (XSS) vulnerability was identified in two MISP views:
*
ajaxTemplateTag.ctp
*
Users/admin_index.ctp
1. ajaxTemplateTag.ctp
The JavaScript function call used for removing a template tag included both the tag ID and tag name.
Even though the tag name was escaped with h(), its placement inside a JavaScript string literal within an HTML attribute represents a fragile construction. Under specific conditions, crafted tag names containing special characters may break out of the JavaScript context, enabling XSS. The patch removes the unsafe second parameter:
By eliminating unnecessary exposure of user-controlled data to JavaScript, the potential XSS vector is removed.
2. Users/admin_index.ctp
The admin user list view passed unescaped filter parameters into the getPopup handler.
If $urlparams contained attacker-influenced content, a crafted URL could inject JavaScript that would execute when an administrator clicked “Modify filters.”
The vulnerabilities are classified as low impact and high difficulty, as noted in the patch. Exploitation requires:
*
The attacker to create or manipulate tag names or URL parameters in specific ways.
*
An administrator to interact with the affected UI elements (e.g., clicking “Remove tag” or “Modify filters”).
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
🕵️♂️ Jeroen Pinoy 🐞
Andras Iklody (the Insomniac MISP lead dev)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.27",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA cross-site scripting (XSS) vulnerability was identified in two MISP views:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003eajaxTemplateTag.ctp\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003eUsers/admin_index.ctp\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n1. \u003ccode\u003eajaxTemplateTag.ctp\u003c/code\u003e\n\u003cp\u003eThe JavaScript function call used for removing a template tag included both the tag ID and tag name.\u003c/p\u003e\u003cp\u003eEven though the tag name was escaped with \u003ccode\u003eh()\u003c/code\u003e, its placement inside a JavaScript string literal within an HTML attribute represents a fragile construction. Under specific conditions, crafted tag names containing special characters may break out of the JavaScript context, enabling XSS. The patch removes the unsafe second parameter:\u003cbr\u003e\u003c/p\u003e\u003cdiv\u003eBy eliminating unnecessary exposure of user-controlled data to JavaScript, the potential XSS vector is removed.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e2. \u003ccode\u003eUsers/admin_index.ctp\u003c/code\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe admin user list view passed unescaped filter parameters into the \u003ccode\u003egetPopup\u003c/code\u003e handler.\u003cbr\u003e\u003cbr\u003eIf $urlparams contained attacker-influenced content, a crafted URL could inject JavaScript that would execute when an administrator clicked \u201cModify filters.\u201d\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eThe vulnerabilities are classified as \u003cstrong\u003elow impact\u003c/strong\u003e and \u003cstrong\u003ehigh difficulty\u003c/strong\u003e, as noted in the patch. Exploitation requires:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe attacker to create or manipulate tag names or URL parameters in specific ways.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAn administrator to interact with the affected UI elements (e.g., clicking \u201cRemove tag\u201d or \u201cModify filters\u201d).\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e"
}
],
"value": "A cross-site scripting (XSS) vulnerability was identified in two MISP views:\n\n\n\n * \najaxTemplateTag.ctp\n\n\n\n\n * \nUsers/admin_index.ctp\n\n\n\n\n\n\n\n1. ajaxTemplateTag.ctp\nThe JavaScript function call used for removing a template tag included both the tag ID and tag name.\n\nEven though the tag name was escaped with h(), its placement inside a JavaScript string literal within an HTML attribute represents a fragile construction. Under specific conditions, crafted tag names containing special characters may break out of the JavaScript context, enabling XSS. The patch removes the unsafe second parameter:\n\n\nBy eliminating unnecessary exposure of user-controlled data to JavaScript, the potential XSS vector is removed.\n\n\n\n\n2. Users/admin_index.ctp\n\n\n\n\nThe admin user list view passed unescaped filter parameters into the getPopup handler.\n\nIf $urlparams contained attacker-influenced content, a crafted URL could inject JavaScript that would execute when an administrator clicked \u201cModify filters.\u201d\n\n\n\n\nThe vulnerabilities are classified as low impact and high difficulty, as noted in the patch. Exploitation requires:\n\n\n\n * \nThe attacker to create or manipulate tag names or URL parameters in specific ways.\n\n\n\n\n * \nAn administrator to interact with the affected UI elements (e.g., clicking \u201cRemove tag\u201d or \u201cModify filters\u201d)."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/27f65c52ab66fdc67e86883bd7f28b02a8f24aa0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reflected XSS in MISP Template Tag Removal and MISP Admin User Filter Handling",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-12-10T14:10:00.000Z",
"dateUpdated": "2025-12-10T14:16:55.918270Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0038",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-12-10T14:10:48.440939Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-12-10T14:16:55.918270Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0037
Vulnerability from gna-1 – Published: 2025-12-10 14:01 – Updated: 2025-12-10 14:01
VLAI?
Title
Reflected XSS in MISP Dashboard Widgets via Unescaped Base URL
Summary
A cross-site scripting (XSS) vulnerability was discovered in two dashboard widgets within the MISP application:
*
APIActivityWidget (app/Lib/Dashboard/APIActivityWidget.php)
*
LoginsWidget (app/Lib/Dashboard/LoginsWidget.php)
Both widgets construct HTML output using the instance’s base URL. While MISP.baseurl was properly HTML-escaped, the alternative configuration value MISP.external_baseurl was not escaped when read from configuration.
If an attacker with administrative privileges can set or influence the MISP.external_baseurl configuration value, they can inject arbitrary HTML or JavaScript, which will be rendered in the dashboard widgets of other site administrators. The issue was resolved by enforcing HTML escaping on the external base URL as well.
Because the affected widgets are only visible to administrators and the attack requires the attacker to already be a site administrator, the impact is limited. However, if exploited, an administrative user could inject JavaScript that executes in the browsers of other administrators viewing dashboard widgets, leading to:
*
Session hijacking within admin context (if cookies are accessible)
*
Execution of arbitrary actions as another site admin
*
Defacement or injection of misleading information into dashboards
This is considered low impact but with high exploitation requirements, as noted in the patch.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Credits
🕵️♂️ Jeroen Pinoy 🐞
Andras Iklody (the Insomniac MISP lead dev)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.27",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA cross-site scripting (XSS) vulnerability was discovered in two dashboard widgets within the MISP application:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003eAPIActivityWidget\u003c/code\u003e (\u003ccode\u003eapp/Lib/Dashboard/APIActivityWidget.php\u003c/code\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003eLoginsWidget\u003c/code\u003e (\u003ccode\u003eapp/Lib/Dashboard/LoginsWidget.php\u003c/code\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBoth widgets construct HTML output using the instance\u2019s base URL. While \u003ccode\u003eMISP.baseurl\u003c/code\u003e was properly HTML-escaped, the alternative configuration value \u003ccode\u003eMISP.external_baseurl\u003c/code\u003e was not escaped when read from configuration.\u003c/p\u003e\u003cp\u003eIf an attacker with administrative privileges can set or influence the \u003ccode\u003eMISP.external_baseurl\u003c/code\u003e configuration value, they can inject arbitrary HTML or JavaScript, which will be rendered in the dashboard widgets of other site administrators. The issue was resolved by enforcing HTML escaping on the external base URL as well.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eBecause the affected widgets are only visible to administrators and the attack requires the attacker to already be a site administrator, the impact is limited. However, if exploited, an administrative user could inject JavaScript that executes in the browsers of other administrators viewing dashboard widgets, leading to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSession hijacking within admin context (if cookies are accessible)\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eExecution of arbitrary actions as another site admin\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eDefacement or injection of misleading information into dashboards\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis is considered \u003cstrong\u003elow impact\u003c/strong\u003e but with \u003cstrong\u003ehigh exploitation requirements\u003c/strong\u003e, as noted in the patch.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "A cross-site scripting (XSS) vulnerability was discovered in two dashboard widgets within the MISP application:\n\n\n\n * \nAPIActivityWidget (app/Lib/Dashboard/APIActivityWidget.php)\n\n\n\n\n * \nLoginsWidget (app/Lib/Dashboard/LoginsWidget.php)\n\n\n\n\n\n\n\nBoth widgets construct HTML output using the instance\u2019s base URL. While MISP.baseurl was properly HTML-escaped, the alternative configuration value MISP.external_baseurl was not escaped when read from configuration.\n\nIf an attacker with administrative privileges can set or influence the MISP.external_baseurl configuration value, they can inject arbitrary HTML or JavaScript, which will be rendered in the dashboard widgets of other site administrators. The issue was resolved by enforcing HTML escaping on the external base URL as well.\n\n\n\nBecause the affected widgets are only visible to administrators and the attack requires the attacker to already be a site administrator, the impact is limited. However, if exploited, an administrative user could inject JavaScript that executes in the browsers of other administrators viewing dashboard widgets, leading to:\n\n\n\n * \nSession hijacking within admin context (if cookies are accessible)\n\n\n\n\n * \nExecution of arbitrary actions as another site admin\n\n\n\n\n * \nDefacement or injection of misleading information into dashboards\n\n\n\n\n\n\n\nThis is considered low impact but with high exploitation requirements, as noted in the patch."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/cac45809bf2001d47e092d6efbb7965306a13148"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reflected XSS in MISP Dashboard Widgets via Unescaped Base URL",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-12-10T14:01:03.200804Z",
"dateUpdated": "2025-12-10T14:01:03.200804Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0037",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-12-10T14:01:03.200804Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0036
Vulnerability from gna-1 – Published: 2025-12-10 13:46 – Updated: 2025-12-10 13:46
VLAI?
Title
A reflected cross-site scripting (XSS) vulnerability was identified in the MISp Servers preview index
Summary
A reflected cross-site scripting (XSS) vulnerability was identified in the Servers preview index view (app/View/Servers/preview_index.ctp). The view passes URL parameters directly into the onClickParams argument of the getPopup handler without proper HTML encoding.
Because $urlparams can be attacker-controlled, a specially crafted URL can inject arbitrary JavaScript into the generated page. When a site administrator follows such a malicious link and clicks the “Modify filters” button, the injected script is executed in their browser in the context of the application.
This issue has been fixed by ensuring that the URL parameters are HTML-escaped before being embedded.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Credits
🕵️♂️ Jeroen Pinoy 🐞
Andras Iklody (the Insomniac MISP lead dev)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.27",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA reflected cross-site scripting (XSS) vulnerability was identified in the \u003cem\u003eServers preview index\u003c/em\u003e view (\u003ccode\u003eapp/View/Servers/preview_index.ctp\u003c/code\u003e). The view passes URL parameters directly into the \u003ccode\u003eonClickParams\u003c/code\u003e argument of the \u003ccode\u003egetPopup\u003c/code\u003e handler without proper HTML encoding.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eBecause \u003ccode\u003e$urlparams\u003c/code\u003e can be attacker-controlled, a specially crafted URL can inject arbitrary JavaScript into the generated page. When a site administrator follows such a malicious link and clicks the \u003cstrong\u003e\u201cModify filters\u201d\u003c/strong\u003e button, the injected script is executed in their browser in the context of the application.\u003c/p\u003e\n\u003cp\u003eThis issue has been fixed by ensuring that the URL parameters are HTML-escaped before being embedded.\u003c/p\u003e\u003c/div\u003e"
}
],
"value": "A reflected cross-site scripting (XSS) vulnerability was identified in the Servers preview index view (app/View/Servers/preview_index.ctp). The view passes URL parameters directly into the onClickParams argument of the getPopup handler without proper HTML encoding.\n\n\nBecause $urlparams can be attacker-controlled, a specially crafted URL can inject arbitrary JavaScript into the generated page. When a site administrator follows such a malicious link and clicks the \u201cModify filters\u201d button, the injected script is executed in their browser in the context of the application.\n\n\nThis issue has been fixed by ensuring that the URL parameters are HTML-escaped before being embedded."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/185a9fac1a9de112488013ffb3513644d4a02d59"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A reflected cross-site scripting (XSS) vulnerability was identified in the MISp Servers preview index",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-12-10T13:46:07.170083Z",
"dateUpdated": "2025-12-10T13:46:07.170083Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0036",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-12-10T13:46:07.170083Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0031
Vulnerability from gna-1 – Published: 2025-12-03 10:58 – Updated: 2025-12-16 09:36
VLAI?
Title
A cross-site scripting (XSS) vulnerability was identified in the MISP workflow execution-path view
Summary
A cross-site scripting (XSS) vulnerability was identified in the workflow execution-path view in app/View/Elements/Workflows/executionPath.ctp.
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the affected application. Depending on the privileges of the targeted user, this may lead to session hijacking, workflow manipulation, data exfiltration, or impersonation within the application.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Credits
Franck FERMAN
Sami Mokaddem (aka Graphman)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThanOrEqual": "2.5.27",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Franck FERMAN"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sami Mokaddem"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA cross-site scripting (XSS) vulnerability was identified in the workflow execution-path view in \u003ccode\u003eapp/View/Elements/Workflows/executionPath.ctp\u003c/code\u003e.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\nSuccessful exploitation allows an attacker to execute arbitrary JavaScript in the context of the affected application. Depending on the privileges of the targeted user, this may lead to session hijacking, workflow manipulation, data exfiltration, or impersonation within the application.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A cross-site scripting (XSS) vulnerability was identified in the workflow execution-path view in app/View/Elements/Workflows/executionPath.ctp.\n\n\n\n\n\nSuccessful exploitation allows an attacker to execute arbitrary JavaScript in the context of the affected application. Depending on the privileges of the targeted user, this may lead to session hijacking, workflow manipulation, data exfiltration, or impersonation within the application."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/1f39deb572da7ecb5855e30ff3cc8cbcaa0c1054"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A cross-site scripting (XSS) vulnerability was identified in the MISP workflow execution-path view",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2025-67906",
"datePublished": "2025-12-03T10:58:00.000Z",
"dateUpdated": "2025-12-16T09:36:09.594750Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0031",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-12-03T10:58:19.835041Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-12-15T21:57:21.449881Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-12-16T09:36:09.594750Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0030
Vulnerability from gna-1 – Published: 2025-12-03 10:53 – Updated: 2025-12-03 10:58
VLAI?
Title
A cross-site scripting (XSS) vulnerability in the MISP “actions” table element template
Summary
A cross-site scripting (XSS) vulnerability in the “actions” table element template in app/View/Elements/genericElements/IndexTable/Fields/actions.ctp allows an attacker to inject arbitrary JavaScript code into the generated HTML.
Successful exploitation allows execution of arbitrary JavaScript in the context of the affected web application, potentially leading to session hijacking, data exfiltration, or UI redressing, depending on the permissions of the targeted user.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Credits
Louis PLUVIOSE
Mathis FRANEL
Andras Iklody (the Insomniac MISP lead dev)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.27",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Louis PLUVIOSE"
},
{
"lang": "en",
"type": "finder",
"value": "Mathis FRANEL"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA cross-site scripting (XSS) vulnerability in the \u201cactions\u201d table element template in \u003ccode\u003eapp/View/Elements/genericElements/IndexTable/Fields/actions.ctp\u003c/code\u003e allows an attacker to inject arbitrary JavaScript code into the generated HTML.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\nSuccessful exploitation allows execution of arbitrary JavaScript in the context of the affected web application, potentially leading to session hijacking, data exfiltration, or UI redressing, depending on the permissions of the targeted user.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A cross-site scripting (XSS) vulnerability in the \u201cactions\u201d table element template in app/View/Elements/genericElements/IndexTable/Fields/actions.ctp allows an attacker to inject arbitrary JavaScript code into the generated HTML.\n\n\n\n\n\nSuccessful exploitation allows execution of arbitrary JavaScript in the context of the affected web application, potentially leading to session hijacking, data exfiltration, or UI redressing, depending on the permissions of the targeted user."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/c7b833839138fd3cef1a225f54863540d72a2fac"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A cross-site scripting (XSS) vulnerability in the MISP \u201cactions\u201d table element template",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-12-03T10:53:00.000Z",
"dateUpdated": "2025-12-03T10:58:55.845341Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0030",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-12-03T10:53:30.664179Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-12-03T10:58:55.845341Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0029
Vulnerability from gna-1 – Published: 2025-11-27 12:41 – Updated: 2025-11-27 12:48
VLAI?
Title
Reflected cross-site scripting (XSS) vulnerabilities in EventGraph and Template Upload
Summary
MISP contained two reflected cross-site scripting (XSS) vulnerabilities affecting:
*
EventGraph deletion confirmation form (eventGraph_delete_form.ctp)
*
Template file upload form (upload_file.ctp)
Before commit bd3ef20956e680fe12b3faf529efaaaee3e412dc, both templates used unvalidated numeric identifiers ($id and $element_id) directly in the rendered page. An attacker could craft a malicious request with a specially crafted non-numeric value for these parameters, causing untrusted data to be reflected into the HTML or JavaScript context of the forms—triggering arbitrary JavaScript execution in the browser of a logged-in user.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Credits
Dawid Czarnecki of Zigrin Security
Andras Iklody (the Insomniac MISP lead dev)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dawid Czarnecki of Zigrin Security"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMISP contained two reflected cross-site scripting (XSS) vulnerabilities affecting:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003e\u003ccode\u003eEventGraph\u003c/code\u003e deletion confirmation form\u003c/strong\u003e (\u003ccode\u003eeventGraph_delete_form.ctp\u003c/code\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eTemplate file upload form\u003c/strong\u003e (\u003ccode\u003eupload_file.ctp\u003c/code\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eBefore commit \u003ccode\u003ebd3ef20956e680fe12b3faf529efaaaee3e412dc\u003c/code\u003e, both templates used unvalidated numeric identifiers (\u003ccode\u003e$id\u003c/code\u003e and \u003ccode\u003e$element_id\u003c/code\u003e) directly in the rendered page. An attacker could craft a malicious request with a specially crafted non-numeric value for these parameters, causing untrusted data to be reflected into the HTML or JavaScript context of the forms\u2014triggering arbitrary JavaScript execution in the browser of a logged-in user.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "MISP contained two reflected cross-site scripting (XSS) vulnerabilities affecting:\n\n\n\n * \nEventGraph deletion confirmation form (eventGraph_delete_form.ctp)\n\n\n\n\n * \nTemplate file upload form (upload_file.ctp)\n\n\n\n\n\nBefore commit bd3ef20956e680fe12b3faf529efaaaee3e412dc, both templates used unvalidated numeric identifiers ($id and $element_id) directly in the rendered page. An attacker could craft a malicious request with a specially crafted non-numeric value for these parameters, causing untrusted data to be reflected into the HTML or JavaScript context of the forms\u2014triggering arbitrary JavaScript execution in the browser of a logged-in user."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/bd3ef20956e680fe12b3faf529efaaaee3e412dc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reflected cross-site scripting (XSS) vulnerabilities in EventGraph and Template Upload",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-11-27T12:41:00.000Z",
"dateUpdated": "2025-11-27T12:48:51.085860Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0029",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-11-27T12:41:37.265185Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-11-27T12:42:20.272359Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-11-27T12:48:51.085860Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0028
Vulnerability from gna-1 – Published: 2025-11-27 07:23 – Updated: 2025-12-02 08:51
VLAI?
Title
Information leakage vulnerability in the MISP Feed configuration interface
Summary
MISP contained an information leakage vulnerability in the Feed configuration interface when tag collections were used and the “JSONified list” view was accessed. As a result, sensitive fields such as full user records, organisation metadata, or other internal attributes could be exposed to users who should not have had access to them when viewing the JSON output of feed configurations.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Credits
Lassi Kapanen of Second Nature Security
Andras Iklody (the Insomniac MISP lead dev)
Teemu Hakkarainen of Second Nature Security
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.12",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lassi Kapanen of Second Nature Security"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
},
{
"lang": "en",
"type": "finder",
"value": "Teemu Hakkarainen of Second Nature Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MISP contained an information leakage vulnerability in the \u003cem\u003eFeed configuration\u003c/em\u003e interface when tag collections were used and the \u201cJSONified list\u201d view was accessed. As a result, sensitive fields such as full user records, organisation metadata, or other internal attributes could be exposed to users who should not have had access to them when viewing the JSON output of feed configurations."
}
],
"value": "MISP contained an information leakage vulnerability in the Feed configuration interface when tag collections were used and the \u201cJSONified list\u201d view was accessed. As a result, sensitive fields such as full user records, organisation metadata, or other internal attributes could be exposed to users who should not have had access to them when viewing the JSON output of feed configurations."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/misp/misp/commit/ffe3be4da6fa99fffc85534d730a469c06cd38d8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information leakage vulnerability in the MISP Feed configuration interface",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-11-27T07:23:00.000Z",
"dateUpdated": "2025-12-02T08:51:35.429494Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0028",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-11-27T07:23:20.592344Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-12-02T08:51:35.429494Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0027
Vulnerability from gna-1 – Published: 2025-11-27 07:17 – Updated: 2025-12-02 08:51
VLAI?
Title
Reflected cross-site scripting (XSS) vulnerability in the server edit functionality of MISP
Summary
A reflected cross-site scripting (XSS) vulnerability was discovered in the server edit functionality of MISP. In serverRuleElements/pull.ctp and serverRuleElements/push.ctp, the id (server ID) value was written directly into an inline JavaScript variable (var serverID = "…"), without HTML escaping. A remote attacker could craft a URL with a malicious id value that, when visited by an authenticated user with access to the server edit interface, would result in arbitrary JavaScript execution in the victim’s browser.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Credits
Lassi Kapanen of Second Nature Security
Andras Iklody (the Insomniac MISP lead dev)
Teemu Hakkarainen of Second Nature Security
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.12",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lassi Kapanen of Second Nature Security"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
},
{
"lang": "en",
"type": "finder",
"value": "Teemu Hakkarainen of Second Nature Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A reflected cross-site scripting (XSS) vulnerability was discovered in the \u003cem\u003eserver edit\u003c/em\u003e functionality of MISP. In \u003ccode\u003eserverRuleElements/pull.ctp\u003c/code\u003e and \u003ccode\u003eserverRuleElements/push.ctp\u003c/code\u003e, the \u003ccode\u003eid\u003c/code\u003e (server ID) value was written directly into an inline JavaScript variable (\u003ccode\u003evar serverID = \"\u2026\"\u003c/code\u003e), without HTML escaping. A remote attacker could craft a URL with a malicious \u003ccode\u003eid\u003c/code\u003e value that, when visited by an authenticated user with access to the server edit interface, would result in arbitrary JavaScript execution in the victim\u2019s browser. \u003cbr\u003e"
}
],
"value": "A reflected cross-site scripting (XSS) vulnerability was discovered in the server edit functionality of MISP. In serverRuleElements/pull.ctp and serverRuleElements/push.ctp, the id (server ID) value was written directly into an inline JavaScript variable (var serverID = \"\u2026\"), without HTML escaping. A remote attacker could craft a URL with a malicious id value that, when visited by an authenticated user with access to the server edit interface, would result in arbitrary JavaScript execution in the victim\u2019s browser."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/misp/misp/commit/b24e37a6c78199a4c68bb3b95f53d37962973d86"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reflected cross-site scripting (XSS) vulnerability in the server edit functionality of MISP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-11-27T07:17:00.000Z",
"dateUpdated": "2025-12-02T08:51:04.323899Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0027",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-11-27T07:17:57.069969Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-11-27T07:24:10.363842Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-12-02T08:51:04.323899Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0026
Vulnerability from gna-1 – Published: 2025-11-26 16:35 – Updated: 2025-12-02 08:50
VLAI?
Title
Reflected cross-site scripting (XSS) vulnerability in the Server Edit interface,
Summary
MISP contained a reflected cross-site scripting (XSS) vulnerability in the Server Edit interface, specifically within the JavaScript initialization code of the push and pull filtering rule elements. Prior to commit b24e37a6c78199a4c68bb3b95f53d37962973d86, the id parameter (server ID) was embedded directly into a JavaScript string without HTML escaping. A maliciously crafted id value containing JavaScript or special characters could be reflected into the page and executed when an authenticated user visited the server edit page.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Credits
Lassi Kapanen of Second Nature Security
Andras Iklody (the Insomniac MISP lead dev)
Teemu Hakkarainen of Second Nature Security
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.12",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lassi Kapanen of Second Nature Security"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
},
{
"lang": "en",
"type": "finder",
"value": "Teemu Hakkarainen of Second Nature Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MISP contained a reflected cross-site scripting (XSS) vulnerability in the \u003cem\u003eServer Edit\u003c/em\u003e interface, specifically within the JavaScript initialization code of the push and pull filtering rule elements. Prior to commit \u003ccode\u003eb24e37a6c78199a4c68bb3b95f53d37962973d86\u003c/code\u003e, the \u003ccode\u003eid\u003c/code\u003e parameter (server ID) was embedded directly into a JavaScript string without HTML escaping.\u0026nbsp;A maliciously crafted \u003ccode\u003eid\u003c/code\u003e value containing JavaScript or special characters could be reflected into the page and executed when an authenticated user visited the server edit page."
}
],
"value": "MISP contained a reflected cross-site scripting (XSS) vulnerability in the Server Edit interface, specifically within the JavaScript initialization code of the push and pull filtering rule elements. Prior to commit b24e37a6c78199a4c68bb3b95f53d37962973d86, the id parameter (server ID) was embedded directly into a JavaScript string without HTML escaping.\u00a0A maliciously crafted id value containing JavaScript or special characters could be reflected into the page and executed when an authenticated user visited the server edit page."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/misp/misp/commit/b24e37a6c78199a4c68bb3b95f53d37962973d86"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reflected cross-site scripting (XSS) vulnerability in the Server Edit interface,",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-11-26T16:35:00.000Z",
"dateUpdated": "2025-12-02T08:50:46.381572Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0026",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-11-26T16:35:06.666237Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-12-02T08:50:46.381572Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0025
Vulnerability from gna-1 – Published: 2025-11-26 16:27 – Updated: 2025-12-02 08:50
VLAI?
Title
Reflected cross-site scripting (XSS) vulnerability in the MISP Attribute Replacement Tool
Summary
MISP contained a reflected cross-site scripting (XSS) vulnerability in the Attribute Replacement Tool. Prior to commit f20e93e289998290946d56273528d2a4dc1c57fc, the event_id parameter was inserted into both the form action URL and an inline JavaScript handler without proper HTML-escaping. A malicious actor could craft a link with a specially crafted event_id value containing JavaScript, which would then be reflected back to the user and executed when the page was rendered.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Credits
Lassi Kapanen of Second Nature Security
Andras Iklody (the Insomniac MISP lead dev)
Teemu Hakkarainen of Second Nature Security
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.12",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lassi Kapanen of Second Nature Security"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
},
{
"lang": "en",
"type": "finder",
"value": "Teemu Hakkarainen of Second Nature Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MISP contained a reflected cross-site scripting (XSS) vulnerability in the \u003cem\u003eAttribute Replacement Tool\u003c/em\u003e. Prior to commit \u003ccode\u003ef20e93e289998290946d56273528d2a4dc1c57fc\u003c/code\u003e, the \u003ccode\u003eevent_id\u003c/code\u003e parameter was inserted into both the form action URL and an inline JavaScript handler without proper HTML-escaping. A malicious actor could craft a link with a specially crafted \u003ccode\u003eevent_id\u003c/code\u003e value containing JavaScript, which would then be reflected back to the user and executed when the page was rendered."
}
],
"value": "MISP contained a reflected cross-site scripting (XSS) vulnerability in the Attribute Replacement Tool. Prior to commit f20e93e289998290946d56273528d2a4dc1c57fc, the event_id parameter was inserted into both the form action URL and an inline JavaScript handler without proper HTML-escaping. A malicious actor could craft a link with a specially crafted event_id value containing JavaScript, which would then be reflected back to the user and executed when the page was rendered."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/misp/misp/commit/f20e93e289998290946d56273528d2a4dc1c57fc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reflected cross-site scripting (XSS) vulnerability in the MISP Attribute Replacement Tool",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-11-26T16:27:00.000Z",
"dateUpdated": "2025-12-02T08:50:18.897756Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0025",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-11-26T16:27:43.742150Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-11-26T16:29:13.941057Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-12-02T08:50:18.897756Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0024
Vulnerability from gna-1 – Published: 2025-11-26 16:14 – Updated: 2025-12-02 08:50
VLAI?
Title
cross-site scripting (XSS) vulnerability in the MISP showAttributeTag
Summary
MISP contained a reflected cross-site scripting (XSS) vulnerability in the showAttributeTag / tag selection UI.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Credits
Lassi Kapanen of Second Nature Security
Andras Iklody (the Insomniac MISP lead dev)
Teemu Hakkarainen of Second Nature Security
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.12",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lassi Kapanen of Second Nature Security"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
},
{
"lang": "en",
"type": "finder",
"value": "Teemu Hakkarainen of Second Nature Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MISP contained a reflected cross-site scripting (XSS) vulnerability in the \u003cem\u003eshowAttributeTag\u003c/em\u003e / tag selection UI."
}
],
"value": "MISP contained a reflected cross-site scripting (XSS) vulnerability in the showAttributeTag / tag selection UI."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/misp/misp/commit/cbfcf1cdd2797de8f3da439f217bb8b9f0cd8cef"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "cross-site scripting (XSS) vulnerability in the MISP showAttributeTag",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-11-26T16:14:00.000Z",
"dateUpdated": "2025-12-02T08:50:01.482327Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0024",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-11-26T16:14:57.013842Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-11-26T16:15:27.131244Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-12-02T08:50:01.482327Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0023
Vulnerability from gna-1 – Published: 2025-11-26 16:10 – Updated: 2025-12-02 08:49
VLAI?
Title
XSS in MISP server comparison tool
Summary
MISP contained a cross-site scripting (XSS) vulnerability in the Server Comparison tool. Prior to commit 83cc0b50971798bbf4be674e9ba744a8e874233a, certain fields displayed in the comparison view were not properly sanitized before being inserted into the HTML output. A malicious or compromised site-admin could inject crafted HTML/JavaScript payloads into comparison content, which would then execute in the browser of another site-admin viewing the Server Comparison interface.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Credits
Lassi Kapanen of Second Nature Security
Andras Iklody (the Insomniac MISP lead dev)
Teemu Hakkarainen of Second Nature Security
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.12",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lassi Kapanen of Second Nature Security"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
},
{
"lang": "en",
"type": "finder",
"value": "Teemu Hakkarainen of Second Nature Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MISP contained a cross-site scripting (XSS) vulnerability in the \u003cem\u003eServer Comparison\u003c/em\u003e tool. Prior to commit \u003ccode\u003e83cc0b50971798bbf4be674e9ba744a8e874233a\u003c/code\u003e, certain fields displayed in the comparison view were not properly sanitized before being inserted into the HTML output. A malicious or compromised site-admin could inject crafted HTML/JavaScript payloads into comparison content, which would then execute in the browser of another site-admin viewing the Server Comparison interface."
}
],
"value": "MISP contained a cross-site scripting (XSS) vulnerability in the Server Comparison tool. Prior to commit 83cc0b50971798bbf4be674e9ba744a8e874233a, certain fields displayed in the comparison view were not properly sanitized before being inserted into the HTML output. A malicious or compromised site-admin could inject crafted HTML/JavaScript payloads into comparison content, which would then execute in the browser of another site-admin viewing the Server Comparison interface."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/misp/misp/commit/83cc0b50971798bbf4be674e9ba744a8e874233a"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS in MISP server comparison tool",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-11-26T16:10:00.000Z",
"dateUpdated": "2025-12-02T08:49:24.626168Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0023",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-11-26T16:10:30.111214Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-12-02T08:49:24.626168Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0022
Vulnerability from gna-1 – Published: 2025-11-26 16:04 – Updated: 2025-12-02 08:49
VLAI?
Title
Clarified setting's impact on download_attachments_on_load
Summary
download_attachments_on_load is set to true by default, but setting this to false introduces a potential security risk. Clarified this in the setting
Severity ?
CWE
Assigner
References
Credits
Lassi Kapanen of Second Nature Security
Andras Iklody (the Insomniac MISP lead dev)
Teemu Hakkarainen of Second Nature Security
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.12",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lassi Kapanen of Second Nature Security"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
},
{
"lang": "en",
"type": "finder",
"value": "Teemu Hakkarainen of Second Nature Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "download_attachments_on_load is set to true by default, but setting this to false introduces a potential security risk. Clarified this in the setting"
}
],
"value": "download_attachments_on_load is set to true by default, but setting this to false introduces a potential security risk. Clarified this in the setting"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/misp/misp/commit/5410685896b89aed11ace870b9c22c17752d1807"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Clarified setting\u0027s impact on download_attachments_on_load",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-11-26T16:04:00.000Z",
"dateUpdated": "2025-12-02T08:49:04.510294Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0022",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-11-26T16:04:54.084661Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-12-02T08:49:04.510294Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0021
Vulnerability from gna-1 – Published: 2025-11-26 15:55 – Updated: 2025-12-02 08:48
VLAI?
Title
XSS in MISP ReST client in HTML view
Summary
In MISP, the “REST client” interface that allows viewing data returned by modules suffered from a cross-site scripting (XSS) vulnerability when presenting “HTML view” of arbitrary JSON data. Prior to commit d718c026d5d69a50e3bbd51847a05ad8f386ec6c, the application did not sufficiently validate or restrict the type of response before offering to render it as HTML, allowing malicious JSON responses to be rendered in HTML context. This could allow an attacker (via a compromised or malicious module) to supply JSON containing content that, when interpreted as HTML, executes as script in the user’s browser.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Credits
Lassi Kapanen of Second Nature Security
Andras Iklody (the Insomniac MISP lead dev)
Teemu Hakkarainen of Second Nature Security
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.12",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lassi Kapanen of Second Nature Security"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
},
{
"lang": "en",
"type": "finder",
"value": "Teemu Hakkarainen of Second Nature Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In MISP, the \u201cREST client\u201d interface that allows viewing data returned by modules suffered from a cross-site scripting (XSS) vulnerability when presenting \u201cHTML view\u201d of arbitrary JSON data. Prior to commit \u003ccode\u003ed718c026d5d69a50e3bbd51847a05ad8f386ec6c\u003c/code\u003e, the application did not sufficiently validate or restrict the type of response before offering to render it as HTML, allowing malicious JSON responses to be rendered in HTML context. This could allow an attacker (via a compromised or malicious module) to supply JSON containing content that, when interpreted as HTML, executes as script in the user\u2019s browser."
}
],
"value": "In MISP, the \u201cREST client\u201d interface that allows viewing data returned by modules suffered from a cross-site scripting (XSS) vulnerability when presenting \u201cHTML view\u201d of arbitrary JSON data. Prior to commit d718c026d5d69a50e3bbd51847a05ad8f386ec6c, the application did not sufficiently validate or restrict the type of response before offering to render it as HTML, allowing malicious JSON responses to be rendered in HTML context. This could allow an attacker (via a compromised or malicious module) to supply JSON containing content that, when interpreted as HTML, executes as script in the user\u2019s browser."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/misp/misp/commit/d718c026d5d69a50e3bbd51847a05ad8f386ec6c"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS in MISP ReST client in HTML view",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-11-26T15:55:00.000Z",
"dateUpdated": "2025-12-02T08:48:41.869838Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0021",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-11-26T15:55:16.468388Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-12-02T08:48:41.869838Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0020
Vulnerability from gna-1 – Published: 2025-11-26 15:49 – Updated: 2025-12-02 08:47
VLAI?
Title
cross-site scripting (XSS) in Galaxy element JSON view
Summary
The “Galaxy element JSON view", a functionality that renders JSON representations of “galaxy elements”, contained a cross-site scripting (XSS) vulnerability.
The issue could allow a malicious user (with the ability to influence galaxy element data) to inject JavaScript payloads that would execute in the browser of another user viewing the JSON view.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Credits
Lassi Kapanen of Second Nature Security
Andras Iklody (the Insomniac MISP lead dev)
Teemu Hakkarainen of Second Nature Security
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.12",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lassi Kapanen of Second Nature Security"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
},
{
"lang": "en",
"type": "finder",
"value": "Teemu Hakkarainen of Second Nature Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe \u201cGalaxy element JSON view\", a functionality that renders JSON representations of \u201cgalaxy elements\u201d, contained a cross-site scripting (XSS) vulnerability.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe issue could allow a malicious user (with the ability to influence galaxy element data) to inject JavaScript payloads that would execute in the browser of another user viewing the JSON view.\u0026nbsp;\u003c/div\u003e"
}
],
"value": "The \u201cGalaxy element JSON view\", a functionality that renders JSON representations of \u201cgalaxy elements\u201d, contained a cross-site scripting (XSS) vulnerability.\u00a0\n\n\n\n\nThe issue could allow a malicious user (with the ability to influence galaxy element data) to inject JavaScript payloads that would execute in the browser of another user viewing the JSON view."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/misp/misp/commit/aa882b23425dd4ef45d0a5f33ff0b5eed36ec9a4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "cross-site scripting (XSS) in Galaxy element JSON view",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-11-26T15:49:00.000Z",
"dateUpdated": "2025-12-02T08:47:41.151429Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0020",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-11-26T15:49:06.903712Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-12-02T08:47:41.151429Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0019
Vulnerability from gna-1 – Published: 2025-11-26 14:47 – Updated: 2025-11-28 07:27
VLAI?
Title
Path traversal vulnerability in EventReport for site-admin
Summary
The “view picture” functionality in EventReport for site-administrators suffered from a path traversal vulnerability. When a specially crafted filename or alias was provided, the application could be tricked into returning arbitrary files from the server’s file system rather than only allowed image assets.
Severity ?
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
Credits
Esteban (Zerotistic) Tonglet during Hack the Government 2025 in Belgium
Sami Mokaddem (aka Graphman)
📸 Alexandre Dulaunoy 🎨
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThanOrEqual": "2.5.26",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Esteban (Zerotistic) Tonglet during Hack the Government 2025 in Belgium"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sami Mokaddem"
},
{
"lang": "en",
"type": "coordinator",
"value": "Alexandre Dulaunoy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The \u201cview picture\u201d functionality in EventReport for site-administrators suffered from a path traversal vulnerability. When a specially crafted filename or alias was provided, the application could be tricked into returning arbitrary files from the server\u2019s file system rather than only allowed image assets."
}
],
"value": "The \u201cview picture\u201d functionality in EventReport for site-administrators suffered from a path traversal vulnerability. When a specially crafted filename or alias was provided, the application could be tricked into returning arbitrary files from the server\u2019s file system rather than only allowed image assets."
}
],
"impacts": [
{
"capecId": "CAPEC-73",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-73 User-Controlled Filename"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/7f4a0386d38672eddc139f5735d71c3b749623ce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Path traversal vulnerability in EventReport for site-admin",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2025-66386",
"datePublished": "2025-11-26T14:47:00.000Z",
"dateUpdated": "2025-11-28T07:27:42.721350Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0019",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-11-26T14:47:47.489637Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-11-26T14:48:49.272047Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-11-28T07:23:06.918616Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-11-28T07:27:42.721350Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0016
Vulnerability from gna-1 – Published: 2025-11-04 09:20 – Updated: 2025-11-04 09:56
VLAI?
Summary
Local file inclusion in [ImportFromUrl() URL handling component in MISP event report (with pandoc support) on server-side document import feature / web application allows an attacker who can supply a URL to read local filesystem documents and disclose sensitive information (limited to document file types) via providing file:// URLs to ImportFromUrl() that are fetched without proper scheme/host validation.
Severity ?
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
Credits
🕵️♂️ Jeroen Pinoy 🐞
Raphael Lob from NATO Cyber Security Center
📸 Alexandre Dulaunoy 🎨
Andras Iklody (the Insomniac MISP lead dev)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.24",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "finder",
"value": "Raphael Lob from NATO Cyber Security Center"
},
{
"lang": "en",
"type": "coordinator",
"value": "Alexandre Dulaunoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Local file inclusion in [ImportFromUrl() URL handling component in MISP event report (with pandoc support) on server-side document import feature / web application allows an attacker who can supply a URL to read local filesystem documents and disclose sensitive information (limited to document file types) via providing file:// URLs to ImportFromUrl() that are fetched without proper scheme/host validation."
}
],
"value": "Local file inclusion in [ImportFromUrl() URL handling component in MISP event report (with pandoc support) on server-side document import feature / web application allows an attacker who can supply a URL to read local filesystem documents and disclose sensitive information (limited to document file types) via providing file:// URLs to ImportFromUrl() that are fetched without proper scheme/host validation."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/misp/misp/commit/6b67f8e853dcf8e40cb87d35a0f6d55df80928df"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-11-04T09:20:00.000Z",
"dateUpdated": "2025-11-04T09:56:38.383646Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0016",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-11-04T09:20:56.074344Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-11-04T09:56:38.383646Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CERTFR-2025-AVI-1076
Vulnerability from certfr_avis - Published: 2025-12-08 - Updated: 2025-12-24
De multiples vulnérabilités ont été découvertes dans MISP. Elles permettent à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "MISP versions ant\u00e9rieures \u00e0 2.5.27",
"product": {
"name": "MISP",
"vendor": {
"name": "MISP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-67906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-67906"
}
],
"initial_release_date": "2025-12-08T00:00:00",
"last_revision_date": "2025-12-24T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1076",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-08T00:00:00.000000"
},
{
"description": "Ajout de la vuln\u00e9rabilit\u00e9 CVE-2025-67906",
"revision_date": "2025-12-24T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans MISP. Elles permettent \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans MISP",
"vendor_advisories": [
{
"published_at": "2025-12-07",
"title": "Bulletin de s\u00e9curit\u00e9 MISP",
"url": "https://www.misp-project.org/security/"
}
]
}
CERTFR-2025-AVI-1045
Vulnerability from certfr_avis - Published: 2025-11-27 - Updated: 2025-11-28
Une vulnérabilité a été découverte dans MISP. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "MISP versions ant\u00e9rieures \u00e0 2.5.26",
"product": {
"name": "MISP",
"vendor": {
"name": "MISP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [],
"initial_release_date": "2025-11-27T00:00:00",
"last_revision_date": "2025-11-28T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1045",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-11-27T00:00:00.000000"
},
{
"description": "Ajout r\u00e9f\u00e9rence CVE",
"revision_date": "2025-11-28T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans MISP. Elle permet \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Vuln\u00e9rabilit\u00e9 dans MISP",
"vendor_advisories": [
{
"published_at": "2025-12-07",
"title": "Bulletin de s\u00e9curit\u00e9 MISP",
"url": "https://www.misp-project.org/security/"
}
]
}
CERTFR-2025-AVI-0965
Vulnerability from certfr_avis - Published: 2025-11-05 - Updated: 2025-11-05
De multiples vulnérabilités ont été découvertes dans MISP. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "MISP versions ant\u00e9rieures \u00e0 2.5.24",
"product": {
"name": "MISP",
"vendor": {
"name": "MISP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [],
"initial_release_date": "2025-11-05T00:00:00",
"last_revision_date": "2025-11-05T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0965",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-11-05T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans MISP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans MISP",
"vendor_advisories": [
{
"published_at": "2025-12-07",
"title": "Bulletin de s\u00e9curit\u00e9 MISP",
"url": "https://www.misp-project.org/security/"
}
]
}
CERTFR-2025-AVI-0274
Vulnerability from certfr_avis - Published: 2025-04-04 - Updated: 2025-04-04
De multiples vulnérabilités ont été découvertes dans MISP. Elles permettent à un attaquant de provoquer une injection indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "MISP versions 2.4.x ant\u00e9rieures \u00e0 2.4.201",
"product": {
"name": "MISP",
"vendor": {
"name": "MISP",
"scada": false
}
}
},
{
"description": "MISP versions 2.5.x ant\u00e9rieures \u00e0 2.5.3",
"product": {
"name": "MISP",
"vendor": {
"name": "MISP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-54674",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-54674"
},
{
"name": "CVE-2024-54675",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-54675"
}
],
"initial_release_date": "2025-04-04T00:00:00",
"last_revision_date": "2025-04-04T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0274",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-04-04T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans MISP. Elles permettent \u00e0 un attaquant de provoquer une injection indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans MISP",
"vendor_advisories": [
{
"published_at": "2025-12-07",
"title": "Bulletin de s\u00e9curit\u00e9 MISP",
"url": "https://www.misp-project.org/security/"
}
]
}