MISP
/
misp-website
mirror of https://github.com/MISP/misp-website
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [security] CVEs added

new
Alexandre Dulaunoy 2024-12-05 08:54:28 +01:00
parent 7415af31d0
commit fadfee3cd0
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/security.md
View File

@ -112,6 +112,8 @@ We firmly believe that, even though unfortunately it is often not regarded as co
- CVE-2024-33855 < MISP 2.4.191 - [A malicious user could send a highly correlating value with an XSS payload to reach the top list of the correlation. The page is only accessible to site admin user.](https://github.com/MISP/MISP/commit/597977694dae9c6ad93f0cbdf8be48ef87ba7f39)
- [CVE-2024-45509](https://vulnerability.circl.lu/vuln/cve-2024-45509) < MISP 2.4.197 - In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin.
- [CVE-2024-46918](https://vulnerability.circl.lu/vuln/cve-2024-46918) < MISP 2.4.198 - app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.
- [CVE-2024-54674](https://vulnerability.circl.lu/cve/CVE-2024-54674) <= MISP 2.4.200 and <= 2.5.2 - app/View/GalaxyClusters/cluster_export_misp_galaxy.ctp in MISP through 2.5.2 has stored XSS when exporting custom clusters into the misp-galaxy format.
- [CVE-2024-54675](https://vulnerability.circl.lu/cve/CVE-2024-54675) <= MISP 2.4.200 and <= 2.5.2 - app/webroot/js/workflows-editor/workflows-editor.js in MISP through 2.5.2 has stored XSS in the editor interface for an ad-hoc workflow.
## PGP Key