Andras Iklody

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** An authorization flaw exists in the object add/edit handling. An authenticated user with object editing permissions can assign a MISP object, or attributes within an object, to a sharing group they are not authorized to use or view. This occurs because sharing group validation is performed against an incorrect request data structure after object fields are merged to the top level, bypassing the check. Additionally, attributes embedded in objects are not individually validated for authorized sharing group use. An attacker can craft a request with `distribution` set to 4 and an arbitrary `sharing group id`, which may disclose the existence or name of non-visible sharing groups and improperly modify the distribution metadata of objects or attributes. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** An improper authorization issue allows an authenticated organization administrator to access or modify user settings of site administrator accounts within the same organization. This occurs because access-control checks scoped administrative actions by organization membership but failed to exclude higher-privileged site administrator users, allowing a breach of the privilege boundary between organization and site-wide administration. This could lead to the unauthorized viewing or alteration of site administrator user settings and login profile information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** An incorrect authorization issue allows an organization administrator to target site administrator accounts within the same organization using the administrative email functionality. The system fails to exclude accounts with the site administrator role from recipient queries, enabling an organization administrator to perform privileged account-management actions, such as initiating a password reset workflow, against higher-privileged accounts. Successful exploitation can lead to account takeover, privilege escalation, and full compromise of the instance's confidentiality, integrity, and availability. The attacker must be authenticated as an organization administrator in the same organization as the target site administrator. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** An insecure default configuration exists where the `Security.check sec fetch site header` control is disabled. This allows state-changing requests, such as POST, PUT, or AJAX requests, to be processed without restriction based on the browser-provided Sec-Fetch-Site header. A remote unauthenticated attacker can craft a malicious web page that tricks an authenticated user's browser into sending cross-site requests to automation endpoints. These forged requests are processed with the victim's privileges, which may lead to unauthorized modification of data or configuration. **Recommendations** Enable the `Security.check sec fetch site header` setting. Operators of multi-homed deployments should validate this setting before enforcement.

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** A mass assignment issue exists in the sharing group creation endpoint. The controller fails to remove a user-supplied `id` field before saving data. In CakePHP, providing a primary key during a save operation can cause the system to update an existing record instead of creating a new one. An authenticated user with permissions to add sharing groups can submit the identifier of an existing group to modify it, bypassing standard edit access-control checks. This allows an attacker to take over or alter sharing groups they are not authorized to access, impacting the confidentiality and integrity of the shared information. The issue is located in the `add()` action of the `app/Controller/SharingGroupsController.php` component. **Recommendations** As a temporary workaround, restrict access to the `add()` action in the `app/Controller/SharingGroupsController.php` controller to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** Multiple mass assignment issues exist in the handling of collections, tag collections, event delegations, and shadow attributes. Certain controller actions accept user-supplied fields that should be server-controlled, specifically record identifiers and ownership fields such as `id`, `org id`, `orgc id`, and `user id`. An authenticated attacker can craft requests to these endpoints to alter object ownership, redirect updates to different records, overwrite event delegation requests, or modify shadow attribute proposals of other organizations. This may lead to unauthorized modification of objects and potential unauthorized access to or transfer of sensitive threat intelligence data. The affected functions include `CollectionsController::edit()`, `EventDelegationsController::delegateEvent()`, `ShadowAttributesController::edit()`, `TagCollectionsController::edit()`, and `TagCollectionsController::editWithTags()`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** An incorrect visibility condition in the event template builder allows authenticated non-site-admin users to view galaxies that should not be visible to their organization. The issue stems from a custom access-control condition that uses a PHP comparison expression instead of a query condition to restrict galaxies to those owned by the user's organization or distributed beyond it. Consequently, enabled galaxies, including organization-only custom galaxies belonging to other organizations, may be exposed in the template builder galaxy list, potentially disclosing metadata about private galaxy definitions to unauthorized users. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** A stored cross-site scripting issue exists when using the Overmind theme. The 'setHomePage' endpoint saves the user-controlled `path` value via the `setSettingInternal()` function, which bypasses the `setSetting()` validation logic and the `validate homepage` check that requires paths to start with /. This allows an authenticated user to store an arbitrary value, such as a malicious script. The value is subsequently rendered in 'app/View/News/index.ctp' as the href attribute of the “Continue to homepage” link without HTML escaping, enabling the execution of attacker-controlled JavaScript in the browser context of the affected instance. **Recommendations** Update the software to a version where the homepage setting is persisted through `setSetting()` to ensure validation and access checks are applied, and where the homepage value is HTML-escaped before rendering in the news view.

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** A path traversal issue exists in the `getOrgLogo()` function of the `OrganisationsController`. The software constructs file paths for organization logos using fields controlled by the organization, such as `id`, `name`, and `uuid`, without verifying that the resulting path stays within the intended `APP/files/img/orgs/` directory. An attacker who can modify an organization field, such as the organization name, can use path traversal sequences to retrieve arbitrary readable `.png` or `.svg` files from locations outside the designated logo directory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** A reflected cross-site scripting issue exists in the UiBeta event index view. The `urlparams` value is inserted into an inline JavaScript handler using HTML escaping within a single-quoted JavaScript string. Since browsers HTML-decode attribute values before JavaScript parsing, a specially crafted `searcheventinfo` value can restore encoded quote characters to break out of the JavaScript string. This allows an attacker to craft a malicious URL that executes arbitrary JavaScript in the victim's browser within the context of the MISP instance. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** An information disclosure issue exists in the AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown is populated using the `AuthKey.user id` value provided in the request data. An authenticated user with permissions to edit an AuthKey can submit arbitrary user IDs to observe the returned dropdown data, which enables the enumeration of user email addresses. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** An issue in the non-REST event editing path allows an authenticated user with event edit permissions to manipulate submitted form data. By tampering with the event edit request, a user can set the `sharing group id` variable to a sharing group they are not authorized to use. This occurs because the non-REST save path fails to perform the sharing group authorization check that is enforced by the REST edit path when distribution is set to sharing group distribution. This could lead to the unauthorized use of restricted sharing groups, disclosure of sharing group names in event listings, and unintended modification of event distribution metadata. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cerebrate versions prior to 1.37 **Description** An authenticated attacker can perform unauthorized modification of records by supplying the `id` primary key field through request input during CRUD edit operations and specific custom entity patching flows. In entities where `id` is not explicitly marked as inaccessible, a crafted request containing the `id` of another record causes the save operation to update that unrelated record instead of the one identified by the route parameter. This issue affects entity types with permissive mass-assignment defaults, such as User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection. Because the UserSettings edit functionality is accessible to any authenticated user, this can lead to unauthorized record modifications depending on the writable fields and the endpoint used. **Recommendations** Update to version 1.37.

**Name of the Vulnerable Software and Affected Versions** Cerebrate versions prior to 1.37 **Description** The self-registration workflow stores the registrant's hashed password in the inbox message data payload. This payload is returned unredacted through inbox index and view responses, including HTML, JSON, and CSV outputs, and can be written unredacted into audit log entries for the inbox message. An authenticated user with sufficient privileges to access inbox entries or related audit logs can retrieve these password hashes. While the exposed data is hashed rather than plaintext, it may facilitate offline password-cracking attempts, especially if users reuse passwords across different systems. **Recommendations** Update to version 1.37.

**Name of the Vulnerable Software and Affected Versions** Cerebrate versions prior to 1.37 **Description** A mass-assignment issue exists in the generic CRUD add path. The `add()` handler fails to properly remove an attacker-supplied `id` from `$params` before the request is normalized via ` massageInput()`. Consequently, the normalized `$input` may still contain an `id` field, allowing a user to provide an identifier that should be controlled by the server. This could lead to the creation of objects with attacker-chosen identifiers, resulting in unauthorized data manipulation, object spoofing, inconsistent references, or disruption through identifier collisions. **Recommendations** Update to version 1.37.

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** A logic error in the CRUD component delete handler allows validation failures to be bypassed when using the HTTP DELETE method. This occurs because missing parentheses in the delete condition cause the expression to be evaluated as `($validationError === null && POST) || DELETE`, allowing a DELETE request to proceed even if the delete validation callback rejected the operation. An authenticated attacker with access to an affected delete endpoint can exploit this to delete records that should be protected by application-level validation or authorization checks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** An issue exists in the 'over-correlation' endpoint where the `order` query parameter is accepted from user-controlled named request parameters. This allows an authenticated user to override the server-defined ordering of over-correlating values. Depending on the processing by the underlying data access layer, this could lead to manipulation of database query ordering and potentially expose the application to unsafe query construction. The issue is located in the `overCorrelations()` function within the `app/Controller/CorrelationsController.php` component. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** An issue in the dashboard widgets allows an authenticated user to manipulate the fields option to influence the data returned by the New Users and New Organisations widgets. When a requested field set becomes empty after validation or redaction, the underlying query may fall back to returning unintended model fields. This can enable a non-site-admin user to disclose restricted metadata, such as user e-mail addresses, even if e-mail disclosure is disabled in the configuration. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** A mass assignment issue exists in the user edit functionality. The application fails to sufficiently filter user-supplied fields in the `UsersController::edit()` function, allowing it to accept a user-controlled `User.id` value from request data. An authenticated attacker can craft a modified request containing a different user identifier to apply updates to an unintended account. This may lead to unauthorized modification of user account attributes and compromise account integrity. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** An authorization flaw exists in the Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application verifies if a matching template exists but fails to confirm that the importing user belongs to the organization owning that template. This allows an authenticated user to forcibly overwrite an event template owned by another organization, potentially altering its structure, attributes, or metadata. Site administrators are not affected by this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.