MISP
/
misp-website
mirror of https://github.com/MISP/misp-website
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [security] CVE-2019-16202 added

pull/15/head
Alexandre Dulaunoy 2019-09-11 09:19:02 +02:00
parent 9a86792f13
commit 65a18d9a17
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
_pages/security.md
View File

@ -38,7 +38,8 @@ As one of the critical user-bases of MISP consists of the CSIRT community, it is
- [CVE-2019-11814](https://cve.circl.lu/cve/CVE-2019-11814) <= MISP 2.4.107 - An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot.
- [CVE-2019-12794](https://cve.circl.lu/cve/CVE-2019-12794) <= MISP 2.4.108 - An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users).
- [CVE-2019-12868](https://cve.circl.lu/cve/CVE-2019-12868) <= MISP 2.4.109 - app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
- [CVE-2019-14286](https://cve.circl.lu/cve/CVE-2019-14286) <= MISP 2.4.111 - In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability.
- [CVE-2019-14286](https://cve.circl.lu/cve/CVE-2019-14286) <= MISP 2.4.111 - In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability.
- [CVE-2019-16202](https://cve.circl.lu/cve/CVE-2019-16202) <= MISP 2.4.114 - MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, escalation attempts are blocked by the checkLoggedActions function with a "This could be an indication of an attempted privilege escalation on older vulnerable versions of MISP (<2.4.115)" message.
## PGP Key