Misp
Monthly
Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to load an attacker-controlled INI file, which is parsed and passed to rdkafka with options such as plugin.library.paths to load an arbitrary shared library. The flaw (CWE-829, inclusion of functionality from untrusted control sphere) yields code execution as the MISP process user; no public exploit identified at time of analysis, but a vendor patch is available.
Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configuration to write attacker-controlled content to a PHP file under the webroot, yielding code execution as the web server user. No public exploit identified at time of analysis, but a vendor patch is available via the MISP GitHub repository.
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijacking, session fixation, CSRF/replay against the OAuth callback, plaintext credential exposure over non-HTTPS redirect URIs, and log injection. The plugin reused the PHP session_id() as the OAuth state parameter, never rotated the session ID after login, did not enforce HTTPS on the redirect URI, and logged attacker-controlled GET parameters verbatim. No public exploit identified at time of analysis, but an upstream fix is available in MISP commit 146bc40.
Cross-organization data tampering in MISP (Malware Information Sharing Platform) core allows authenticated low-privileged users to modify or delete intelligence objects belonging to other organizations by exploiting broken access-control checks across Event Reports, Collection Elements, Analyst Data, Template Elements, and Decaying Models. The flaw stems from authorization being performed against the wrong entity ID or being entirely absent on write paths, enabling integrity attacks on shared threat intelligence. Vendor patches are available via multiple MISP GitHub commits; no public exploit identified at time of analysis.
Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or perm_sharing_group role flag hard-delete Event Reports and Sharing Groups belonging to other organisations across the entire instance. The flaw affects MISP threat-intelligence platform deployments and enables cross-tenant data destruction by contributor-level accounts; no public exploit identified at time of analysis, but the upstream patch commits are public and trivially reverse-engineerable.
Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to any one authorized object to overwrite, re-parent, or transfer ownership of objects belonging to other users or organizations by submitting crafted REST/form payloads containing attacker-chosen primary keys and ownership foreign keys. The root cause is CRUDComponent::edit() mass-assigning payload-supplied IDs (id, event_id, org_id, user_id, sharing_group_id, etc.) onto the already-loaded record, so CakePHP's save() updates a different row than the one the authorization check validated. No public exploit identified at time of analysis, but a vendor patch is available and the high CVSS 4.0 score of 9.4 reflects broad cross-tenant impact.
Sharing group authorization bypass in MISP's object add/edit workflow allows an authenticated user with object-editing permissions to assign objects and their contained attributes to sharing groups they are not authorized to access or view. The flaw stems from a structural data merging step in ObjectsController.php that silently relocates field keys, causing the sharing group validation check to evaluate a stale, already-removed data path and thus never fire. An attacker exploiting this can probe the existence and names of non-visible sharing groups and improperly alter the distribution metadata of objects and embedded attributes. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
Unauthorized sharing group assignment in MISP's non-REST event edit path allows any authenticated event editor to assign an event to a restricted sharing group they are not a member of by tampering with submitted form data. The REST API path enforced sharing group authorization via Event::_edit(), but the web form save path wrote sharing_group_id directly from POST data without equivalent validation - a classic split-path authorization gap (CWE-863). Successful exploitation leaks the restricted sharing group's name in event listings and corrupts the event's distribution metadata. No public exploit has been identified at time of analysis, and the fix is available as commit 609ff6c from the MISP maintainers (CIRCL).
User email enumeration in MISP's AuthKey edit endpoint allows any authenticated user holding AuthKey-edit permission to discover the email addresses of arbitrary platform users by manipulating a single POST parameter. The flaw exists in the validation-error rendering path of AuthKeysController.php, where the user dropdown was populated from attacker-controlled request body data rather than the persisted AuthKey owner, enabling systematic iteration over numeric user IDs. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack is trivially reproducible from the description and patch diff alone.
Reflected XSS in MISP's UiBeta event index view allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL with a specially encoded searcheventinfo parameter. The vulnerability exploits a double-encoding flaw: the PHP template applies only HTML escaping (h()) to the urlparams value placed inside a single-quoted JavaScript string in an onclick attribute, but browsers HTML-decode attribute values before JavaScript parsing - restoring encoded quote characters (' → ') and enabling string breakout. No public exploit code has been identified at time of analysis, and the fix has been committed upstream by the MISP maintainers at CIRCL.
Path traversal in MISP's OrganisationsController::getOrgLogo allows a low-privileged authenticated user to read arbitrary .png or .svg files from outside the intended organisation logo directory by injecting traversal sequences into organisation-controlled fields such as the organisation name, id, or uuid. All MISP versions prior to the patch commit b865deb are affected across any deployment where untrusted accounts hold write access to organisation fields. No public exploit code or CISA KEV listing exists at time of analysis; however, the attack requires only low-privilege access and no user interaction, making it practically exploitable in typical multi-tenant MISP deployments.
Stored cross-site scripting in MISP's setHomePage endpoint allows an authenticated user to persist an arbitrary JavaScript payload as their homepage setting when the Overmind theme is active, which later executes in any victim's browser upon viewing the News page and clicking the "Continue to homepage" link. The root cause is a theme-conditional code path in UserSettingsController that called setSettingInternal() directly, bypassing the validate_homepage validator that enforces a leading slash on path values, combined with an unescaped output sink in app/View/News/index.ctp. No public exploit has been identified at time of analysis; exploitation is bounded by the Overmind-theme-only precondition and mandatory victim interaction.
Incorrect authorization in MISP's event template builder exposes organisation-private galaxy definitions to any authenticated user due to a PHP operator-precedence bug that silently voids the intended access-control filter. In multi-tenant MISP deployments, authenticated non-site-admin users can enumerate all enabled galaxies - including organisation-only custom galaxies belonging to other organisations - through the template builder galaxy list. No active exploitation is confirmed (not listed in CISA KEV), but the low exploitation barrier (any valid account, no special privileges) makes this a meaningful metadata-disclosure risk wherever multiple organisations share a MISP instance.
Improper authorization in MISP permits an authenticated organization administrator to read or overwrite user settings and login profile data belonging to site administrator accounts that share the same organization. The ACL checks in UserLoginProfilesController, UserSettingsController, and the UserSetting model correctly scoped operations by org_id membership but failed to exclude users holding site-admin roles, allowing a lower-privileged admin to cross the intended privilege boundary. No public exploit has been identified at time of analysis; a patch is available via a CIRCL-reported upstream commit.
Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify other users' account attributes by submitting a crafted User.id parameter in edit requests. The UsersController::edit() function failed to strip user-supplied identifiers before processing, enabling cross-account modifications. No public exploit identified at time of analysis, but the source code fix is publicly visible in the upstream commit.
Authenticated low-privileged users in MISP versions up to and including 2.5.38 can manipulate the fields parameter of the New Users and New Organisations dashboard widgets to bypass server-side field redaction and retrieve restricted metadata - including user email addresses even when email disclosure is explicitly disabled via Security.disclose_user_emails configuration. The root cause is an order-of-operations flaw: in the original code, the email redaction check was applied after the fallback logic that repopulated the field list, meaning a crafted empty field selection after validation could trigger a return of unredacted model fields. No public exploit has been identified at time of analysis, and SSVC rates exploitation status as none; however, the low attack complexity and absence of user interaction requirements mean any authenticated user can reliably reproduce the condition.
Improper input validation in MISP's over-correlations endpoint allows an authenticated high-privileged attacker to inject arbitrary ordering clauses into database queries via the user-controlled `order` request parameter. All MISP instances running version 2.5.38 and earlier are affected. While direct impact is bounded by query-ordering manipulation, the vulnerability carries SQLi tags and high subsequent system impact scores (SC:H/SI:H/SA:H in CVSS 4.0), suggesting that a successfully crafted ordering expression could escalate to unsafe query construction or unintended data exposure. No public exploit has been identified at time of analysis.
Authorization bypass in MISP versions through 2.5.38 lets authenticated users delete records via HTTP DELETE requests even after the application's delete-validation callback has rejected the operation. The root cause is an operator-precedence bug in the CRUDComponent::delete() handler where missing parentheses caused validation checks to be skipped for the DELETE method. No public exploit identified at time of analysis, but the upstream fix commit on GitHub publicly discloses the exact one-line vulnerable expression, making weaponization trivial.
Open redirect in MISP versions up to and including 2.5.38 allows unauthenticated remote attackers to craft links that silently redirect victims to attacker-controlled external URLs immediately after successful authentication. The vulnerability resides in UsersController::routeafterlogin(), where the pre_login_requested_url session value was reflected into a Location header without enforcing local-path constraints. SSVC signals exploitation as 'none' and no CISA KEV listing exists, but the automatable designation and the high-trust context of a threat intelligence platform make this a meaningful phishing amplifier against security teams who would not expect a trusted MISP login to forward them off-site.
Open redirect in MISP's dashboard button widget (versions up to and including 2.5.38) enables an authenticated, high-privileged user who controls dashboard configuration to plant a crafted button URL that appears to point internally but redirects clicking users to an attacker-controlled external site. The root cause is an incomplete URL allowlist in Button.ctp that blocked explicit schemes, hosts, and user components but did not reject paths beginning with /\ - a pattern several browsers normalize into a scheme-relative URL (i.e., //attacker.com). No public exploit exists and CISA SSVC rates exploitation as none; risk is substantially constrained by the PR:H requirement and the need for a victim to interact with the planted button.
Authorization bypass in MISP's Event Template Importer allows authenticated users with template import privileges to overwrite event templates owned by other organizations on the same shared instance, violating inter-organizational data ownership boundaries. Versions up to and including 2.5.38 are affected; the overwrite workflow confirmed template existence but omitted an organizational ownership check, enabling cross-org template corruption. No public exploit code has been identified at time of analysis and SSVC signals no active exploitation, but the integrity impact is operationally significant in multi-tenant MISP deployments where organizational trust boundaries are critical.
Private galaxy metadata in MISP versions up to and including 2.5.38 was exposed to authenticated non-site-admin users through the event template builder workflow due to missing organisation and distribution-based access controls. The EventTemplatesController.php __setBuilderConfig() method queried all enabled galaxies without filtering by ownership or distribution level, allowing users from one organisation to read galaxy names, types, and descriptions that belong to other organisations and are marked private. No public exploit has been identified and SSVC rates exploitation as none; however, in multi-tenant intelligence-sharing environments this information disclosure carries meaningful operational security risk, as galaxy metadata can reveal the intelligence focus areas or classification schemes of peer organisations.
OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_otp=true, allowing attackers with valid LDAP (or other plugin) credentials to skip the mandatory second factor. Because the plugin-driven login establishes the session during the AppController beforeFilter phase, an attacker can authenticate, ignore the /users/otp challenge page, and browse directly to any authorized application URL as the victim. No public exploit identified at time of analysis, though the upstream commit clearly documents the bypass technique.
MISP's CSP report endpoint in versions 2.5.0 through 2.5.37 accepts payloads up to 1 MB per report instead of the developer-intended 1 KB limit, due to a 1,024x magnitude error in the truncation guard (`1024 * 1024` instead of `1024`). On deployments where the endpoint is reachable by untrusted clients, unauthenticated remote parties (per CVSS PR:N) can abuse this discrepancy to flood application logs with oversized reports, contributing to disk exhaustion or log integrity degradation. No public exploit code exists and active exploitation has not been confirmed; the CVSS 4.0 score of 5.1 (Low-Medium) reflects the limited, availability-only impact.
Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submission privileges to overwrite arbitrary existing ShadowAttribute records by supplying a target id within the add proposal request. The framework's ORM interprets a client-supplied primary key as an update directive, breaking the boundary between proposal creation and modification. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Account takeover in MISP's OidcAuth plugin (versions 2.5.0 through 2.5.37) enables an unauthenticated attacker holding a valid OIDC token from an insecure or untrusted IdP to authenticate as any local MISP user whose account has a NULL stored `sub` value. The vulnerability arises because the plugin unconditionally trusted the OIDC email claim to link identities to existing local accounts without verifying email ownership, bypassing authentication controls entirely (CWE-287). No public exploit has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.0 reflects adjacent network vector and high complexity conditions that constrain realistic exposure.
Insufficient input validation in MISP's Collections model allows authenticated low-privileged users to inject malformed UUID values into Collection records, potentially causing data integrity issues or unexpected behavior in downstream code paths that assume RFC 4122-compliant UUIDs. Affected deployments are all MISP instances prior to version 2.5.37. No public exploit code exists and CISA's SSVC framework rates exploitation as none, making this a low-urgency integrity issue rather than an active threat, though integrity of Collection relationships and UUID-dependent logic is at risk until patched.
Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to reset authentication keys of site administrator accounts within the same organization, yielding cross-tier access takeover. The flaw stems from missing authorization checks in the auth key reset workflow, enabling an org-admin to harvest a freshly generated site-admin API key. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.06%, but a vendor-released patch (2.5.37) is available.
SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to manipulate ORDER BY clauses in event and shadow attribute listing endpoints by supplying crafted ordering parameters. The CVSS 4.0 score of 9.3 reflects high impact across confidentiality, integrity, and availability, though EPSS exploitation probability sits at just 0.04% and no public exploit identified at time of analysis. Given MISP's role as a repository of sensitive threat-intelligence data shared between organizations, successful exploitation could expose IOCs, attribution data, and partner-shared intelligence.
Stored cross-site scripting in MISP before 2.5.37 allows authenticated users with template modification permissions to inject arbitrary JavaScript via unvalidated type and category fields in template element attributes. The vulnerability exploits insufficient input validation in the template element attribute handling logic, enabling attackers to store malicious payloads that execute in the browsers of other users viewing the affected templates. No public exploit code identified at time of analysis.
LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers to bypass authentication and execute unauthorized LDAP queries. The vulnerability exists in ApacheAuthenticate.php when administrators configure apacheEnv to use user-controlled server variables instead of REMOTE_USER in proxy deployments. Attackers manipulate unsanitized username values to inject special characters into LDAP search filters, potentially gaining unauthorized access to the threat intelligence platform. No public exploit identified at time of analysis.
Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated users with workflow privileges to inject arbitrary JavaScript via the workflow execution path view (executionPath.ctp), where doT.js template expressions used unescaped interpolation. Successful exploitation against a user who views the affected page (UI:R) results in scope-changed compromise of the victim's MISP session, including high-confidentiality/integrity/availability impact (CVSS 9.0). Publicly available exploit code exists in researcher-published repositories; no CISA KEV listing at time of analysis.
In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.
Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to load an attacker-controlled INI file, which is parsed and passed to rdkafka with options such as plugin.library.paths to load an arbitrary shared library. The flaw (CWE-829, inclusion of functionality from untrusted control sphere) yields code execution as the MISP process user; no public exploit identified at time of analysis, but a vendor patch is available.
Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configuration to write attacker-controlled content to a PHP file under the webroot, yielding code execution as the web server user. No public exploit identified at time of analysis, but a vendor patch is available via the MISP GitHub repository.
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijacking, session fixation, CSRF/replay against the OAuth callback, plaintext credential exposure over non-HTTPS redirect URIs, and log injection. The plugin reused the PHP session_id() as the OAuth state parameter, never rotated the session ID after login, did not enforce HTTPS on the redirect URI, and logged attacker-controlled GET parameters verbatim. No public exploit identified at time of analysis, but an upstream fix is available in MISP commit 146bc40.
Cross-organization data tampering in MISP (Malware Information Sharing Platform) core allows authenticated low-privileged users to modify or delete intelligence objects belonging to other organizations by exploiting broken access-control checks across Event Reports, Collection Elements, Analyst Data, Template Elements, and Decaying Models. The flaw stems from authorization being performed against the wrong entity ID or being entirely absent on write paths, enabling integrity attacks on shared threat intelligence. Vendor patches are available via multiple MISP GitHub commits; no public exploit identified at time of analysis.
Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or perm_sharing_group role flag hard-delete Event Reports and Sharing Groups belonging to other organisations across the entire instance. The flaw affects MISP threat-intelligence platform deployments and enables cross-tenant data destruction by contributor-level accounts; no public exploit identified at time of analysis, but the upstream patch commits are public and trivially reverse-engineerable.
Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to any one authorized object to overwrite, re-parent, or transfer ownership of objects belonging to other users or organizations by submitting crafted REST/form payloads containing attacker-chosen primary keys and ownership foreign keys. The root cause is CRUDComponent::edit() mass-assigning payload-supplied IDs (id, event_id, org_id, user_id, sharing_group_id, etc.) onto the already-loaded record, so CakePHP's save() updates a different row than the one the authorization check validated. No public exploit identified at time of analysis, but a vendor patch is available and the high CVSS 4.0 score of 9.4 reflects broad cross-tenant impact.
Sharing group authorization bypass in MISP's object add/edit workflow allows an authenticated user with object-editing permissions to assign objects and their contained attributes to sharing groups they are not authorized to access or view. The flaw stems from a structural data merging step in ObjectsController.php that silently relocates field keys, causing the sharing group validation check to evaluate a stale, already-removed data path and thus never fire. An attacker exploiting this can probe the existence and names of non-visible sharing groups and improperly alter the distribution metadata of objects and embedded attributes. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
Unauthorized sharing group assignment in MISP's non-REST event edit path allows any authenticated event editor to assign an event to a restricted sharing group they are not a member of by tampering with submitted form data. The REST API path enforced sharing group authorization via Event::_edit(), but the web form save path wrote sharing_group_id directly from POST data without equivalent validation - a classic split-path authorization gap (CWE-863). Successful exploitation leaks the restricted sharing group's name in event listings and corrupts the event's distribution metadata. No public exploit has been identified at time of analysis, and the fix is available as commit 609ff6c from the MISP maintainers (CIRCL).
User email enumeration in MISP's AuthKey edit endpoint allows any authenticated user holding AuthKey-edit permission to discover the email addresses of arbitrary platform users by manipulating a single POST parameter. The flaw exists in the validation-error rendering path of AuthKeysController.php, where the user dropdown was populated from attacker-controlled request body data rather than the persisted AuthKey owner, enabling systematic iteration over numeric user IDs. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack is trivially reproducible from the description and patch diff alone.
Reflected XSS in MISP's UiBeta event index view allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL with a specially encoded searcheventinfo parameter. The vulnerability exploits a double-encoding flaw: the PHP template applies only HTML escaping (h()) to the urlparams value placed inside a single-quoted JavaScript string in an onclick attribute, but browsers HTML-decode attribute values before JavaScript parsing - restoring encoded quote characters (' → ') and enabling string breakout. No public exploit code has been identified at time of analysis, and the fix has been committed upstream by the MISP maintainers at CIRCL.
Path traversal in MISP's OrganisationsController::getOrgLogo allows a low-privileged authenticated user to read arbitrary .png or .svg files from outside the intended organisation logo directory by injecting traversal sequences into organisation-controlled fields such as the organisation name, id, or uuid. All MISP versions prior to the patch commit b865deb are affected across any deployment where untrusted accounts hold write access to organisation fields. No public exploit code or CISA KEV listing exists at time of analysis; however, the attack requires only low-privilege access and no user interaction, making it practically exploitable in typical multi-tenant MISP deployments.
Stored cross-site scripting in MISP's setHomePage endpoint allows an authenticated user to persist an arbitrary JavaScript payload as their homepage setting when the Overmind theme is active, which later executes in any victim's browser upon viewing the News page and clicking the "Continue to homepage" link. The root cause is a theme-conditional code path in UserSettingsController that called setSettingInternal() directly, bypassing the validate_homepage validator that enforces a leading slash on path values, combined with an unescaped output sink in app/View/News/index.ctp. No public exploit has been identified at time of analysis; exploitation is bounded by the Overmind-theme-only precondition and mandatory victim interaction.
Incorrect authorization in MISP's event template builder exposes organisation-private galaxy definitions to any authenticated user due to a PHP operator-precedence bug that silently voids the intended access-control filter. In multi-tenant MISP deployments, authenticated non-site-admin users can enumerate all enabled galaxies - including organisation-only custom galaxies belonging to other organisations - through the template builder galaxy list. No active exploitation is confirmed (not listed in CISA KEV), but the low exploitation barrier (any valid account, no special privileges) makes this a meaningful metadata-disclosure risk wherever multiple organisations share a MISP instance.
Improper authorization in MISP permits an authenticated organization administrator to read or overwrite user settings and login profile data belonging to site administrator accounts that share the same organization. The ACL checks in UserLoginProfilesController, UserSettingsController, and the UserSetting model correctly scoped operations by org_id membership but failed to exclude users holding site-admin roles, allowing a lower-privileged admin to cross the intended privilege boundary. No public exploit has been identified at time of analysis; a patch is available via a CIRCL-reported upstream commit.
Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify other users' account attributes by submitting a crafted User.id parameter in edit requests. The UsersController::edit() function failed to strip user-supplied identifiers before processing, enabling cross-account modifications. No public exploit identified at time of analysis, but the source code fix is publicly visible in the upstream commit.
Authenticated low-privileged users in MISP versions up to and including 2.5.38 can manipulate the fields parameter of the New Users and New Organisations dashboard widgets to bypass server-side field redaction and retrieve restricted metadata - including user email addresses even when email disclosure is explicitly disabled via Security.disclose_user_emails configuration. The root cause is an order-of-operations flaw: in the original code, the email redaction check was applied after the fallback logic that repopulated the field list, meaning a crafted empty field selection after validation could trigger a return of unredacted model fields. No public exploit has been identified at time of analysis, and SSVC rates exploitation status as none; however, the low attack complexity and absence of user interaction requirements mean any authenticated user can reliably reproduce the condition.
Improper input validation in MISP's over-correlations endpoint allows an authenticated high-privileged attacker to inject arbitrary ordering clauses into database queries via the user-controlled `order` request parameter. All MISP instances running version 2.5.38 and earlier are affected. While direct impact is bounded by query-ordering manipulation, the vulnerability carries SQLi tags and high subsequent system impact scores (SC:H/SI:H/SA:H in CVSS 4.0), suggesting that a successfully crafted ordering expression could escalate to unsafe query construction or unintended data exposure. No public exploit has been identified at time of analysis.
Authorization bypass in MISP versions through 2.5.38 lets authenticated users delete records via HTTP DELETE requests even after the application's delete-validation callback has rejected the operation. The root cause is an operator-precedence bug in the CRUDComponent::delete() handler where missing parentheses caused validation checks to be skipped for the DELETE method. No public exploit identified at time of analysis, but the upstream fix commit on GitHub publicly discloses the exact one-line vulnerable expression, making weaponization trivial.
Open redirect in MISP versions up to and including 2.5.38 allows unauthenticated remote attackers to craft links that silently redirect victims to attacker-controlled external URLs immediately after successful authentication. The vulnerability resides in UsersController::routeafterlogin(), where the pre_login_requested_url session value was reflected into a Location header without enforcing local-path constraints. SSVC signals exploitation as 'none' and no CISA KEV listing exists, but the automatable designation and the high-trust context of a threat intelligence platform make this a meaningful phishing amplifier against security teams who would not expect a trusted MISP login to forward them off-site.
Open redirect in MISP's dashboard button widget (versions up to and including 2.5.38) enables an authenticated, high-privileged user who controls dashboard configuration to plant a crafted button URL that appears to point internally but redirects clicking users to an attacker-controlled external site. The root cause is an incomplete URL allowlist in Button.ctp that blocked explicit schemes, hosts, and user components but did not reject paths beginning with /\ - a pattern several browsers normalize into a scheme-relative URL (i.e., //attacker.com). No public exploit exists and CISA SSVC rates exploitation as none; risk is substantially constrained by the PR:H requirement and the need for a victim to interact with the planted button.
Authorization bypass in MISP's Event Template Importer allows authenticated users with template import privileges to overwrite event templates owned by other organizations on the same shared instance, violating inter-organizational data ownership boundaries. Versions up to and including 2.5.38 are affected; the overwrite workflow confirmed template existence but omitted an organizational ownership check, enabling cross-org template corruption. No public exploit code has been identified at time of analysis and SSVC signals no active exploitation, but the integrity impact is operationally significant in multi-tenant MISP deployments where organizational trust boundaries are critical.
Private galaxy metadata in MISP versions up to and including 2.5.38 was exposed to authenticated non-site-admin users through the event template builder workflow due to missing organisation and distribution-based access controls. The EventTemplatesController.php __setBuilderConfig() method queried all enabled galaxies without filtering by ownership or distribution level, allowing users from one organisation to read galaxy names, types, and descriptions that belong to other organisations and are marked private. No public exploit has been identified and SSVC rates exploitation as none; however, in multi-tenant intelligence-sharing environments this information disclosure carries meaningful operational security risk, as galaxy metadata can reveal the intelligence focus areas or classification schemes of peer organisations.
OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_otp=true, allowing attackers with valid LDAP (or other plugin) credentials to skip the mandatory second factor. Because the plugin-driven login establishes the session during the AppController beforeFilter phase, an attacker can authenticate, ignore the /users/otp challenge page, and browse directly to any authorized application URL as the victim. No public exploit identified at time of analysis, though the upstream commit clearly documents the bypass technique.
MISP's CSP report endpoint in versions 2.5.0 through 2.5.37 accepts payloads up to 1 MB per report instead of the developer-intended 1 KB limit, due to a 1,024x magnitude error in the truncation guard (`1024 * 1024` instead of `1024`). On deployments where the endpoint is reachable by untrusted clients, unauthenticated remote parties (per CVSS PR:N) can abuse this discrepancy to flood application logs with oversized reports, contributing to disk exhaustion or log integrity degradation. No public exploit code exists and active exploitation has not been confirmed; the CVSS 4.0 score of 5.1 (Low-Medium) reflects the limited, availability-only impact.
Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submission privileges to overwrite arbitrary existing ShadowAttribute records by supplying a target id within the add proposal request. The framework's ORM interprets a client-supplied primary key as an update directive, breaking the boundary between proposal creation and modification. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Account takeover in MISP's OidcAuth plugin (versions 2.5.0 through 2.5.37) enables an unauthenticated attacker holding a valid OIDC token from an insecure or untrusted IdP to authenticate as any local MISP user whose account has a NULL stored `sub` value. The vulnerability arises because the plugin unconditionally trusted the OIDC email claim to link identities to existing local accounts without verifying email ownership, bypassing authentication controls entirely (CWE-287). No public exploit has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.0 reflects adjacent network vector and high complexity conditions that constrain realistic exposure.
Insufficient input validation in MISP's Collections model allows authenticated low-privileged users to inject malformed UUID values into Collection records, potentially causing data integrity issues or unexpected behavior in downstream code paths that assume RFC 4122-compliant UUIDs. Affected deployments are all MISP instances prior to version 2.5.37. No public exploit code exists and CISA's SSVC framework rates exploitation as none, making this a low-urgency integrity issue rather than an active threat, though integrity of Collection relationships and UUID-dependent logic is at risk until patched.
Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to reset authentication keys of site administrator accounts within the same organization, yielding cross-tier access takeover. The flaw stems from missing authorization checks in the auth key reset workflow, enabling an org-admin to harvest a freshly generated site-admin API key. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.06%, but a vendor-released patch (2.5.37) is available.
SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to manipulate ORDER BY clauses in event and shadow attribute listing endpoints by supplying crafted ordering parameters. The CVSS 4.0 score of 9.3 reflects high impact across confidentiality, integrity, and availability, though EPSS exploitation probability sits at just 0.04% and no public exploit identified at time of analysis. Given MISP's role as a repository of sensitive threat-intelligence data shared between organizations, successful exploitation could expose IOCs, attribution data, and partner-shared intelligence.
Stored cross-site scripting in MISP before 2.5.37 allows authenticated users with template modification permissions to inject arbitrary JavaScript via unvalidated type and category fields in template element attributes. The vulnerability exploits insufficient input validation in the template element attribute handling logic, enabling attackers to store malicious payloads that execute in the browsers of other users viewing the affected templates. No public exploit code identified at time of analysis.
LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers to bypass authentication and execute unauthorized LDAP queries. The vulnerability exists in ApacheAuthenticate.php when administrators configure apacheEnv to use user-controlled server variables instead of REMOTE_USER in proxy deployments. Attackers manipulate unsanitized username values to inject special characters into LDAP search filters, potentially gaining unauthorized access to the threat intelligence platform. No public exploit identified at time of analysis.
Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated users with workflow privileges to inject arbitrary JavaScript via the workflow execution path view (executionPath.ctp), where doT.js template expressions used unescaped interpolation. Successful exploitation against a user who views the affected page (UI:R) results in scope-changed compromise of the victim's MISP session, including high-confidentiality/integrity/availability impact (CVSS 9.0). Publicly available exploit code exists in researcher-published repositories; no CISA KEV listing at time of analysis.
In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.