Davy Stoffel

**Name of the Vulnerable Software and Affected Versions** MISP versions prior to 2.3.92 **Description** The issue is related to the improper restriction of filenames under the tmp/files/ directory in the Malware Information Sharing Platform (MISP). The impact and attack vectors of this issue are not specified. **Recommendations** For versions prior to 2.3.92, update to version 2.3.92 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MISP versions prior to 2.3.90 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the template-creation feature. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via specific vectors, including the `add.ctp`, `edit.ctp`, and `ajaxification.js` files. **Recommendations** For versions prior to 2.3.90, update to version 2.3.90 or later to resolve the issue. As a temporary workaround, consider restricting access to the template-creation feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** MISP versions prior to 2.3.90 **Description** The issue allows remote attackers to conduct PHP object injection attacks via crafted serialized data, related to TemplatesController.php and populate event from template attributes.ctp. **Recommendations** For versions prior to 2.3.90, update to version 2.3.90 or later to resolve the issue. As a temporary workaround, consider restricting access to the TemplatesController.php and populate event from template attributes.ctp components to minimize the risk of exploitation.