CVE-2022-29534

Name of the Vulnerable Software and Affected Versions MISP versions prior to 2.4.158

Description An issue was discovered in the UsersController.php file, where password confirmation can be bypassed via vectors involving an "Accept: application/json" header.

Recommendations For versions prior to 2.4.158, update to version 2.4.158 or later to resolve the issue. As a temporary workaround, consider restricting access to the UsersController.php file or disabling the password confirmation feature until a patch is available. Avoid using the password and password confirmation variables in the affected API endpoint until the issue is resolved.