CVE-2024-57969

Published Feb 14, 2025

Last updated 10 months ago

CVSS medium 4.3

Overview

Description
app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.
Source
cve@mitre.org
NVD status
Analyzed
Products
misp

Risk scores

CVSS 3.1

Type
Secondary
Base score
4.3
Impact score
1.4
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Severity
MEDIUM

Weaknesses

cve@mitre.org
CWE-863

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36.CVE-2026-39962
  2. In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.CVE-2025-67906
  3. In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses.CVE-2024-58130
  4. In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page.CVE-2024-58129
  5. In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link.CVE-2024-58128

References

Sources include official advisories and independent security research.