CVE-2022-48329

EUVD-2022-51029
MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
Affected Products (NVD)
VendorProductVersion
mispmisp
𝑥
< 2.4.166
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/MISP/MISP/commit/a73c1c461bc6f8a048eae92b5e99823afd892d1e
https://github.com/MISP/MISP/commit/afbe08d256d609eee5195c5b0003cfb723ae7af1
https://github.com/MISP/MISP/compare/v2.4.165...v2.4.166
https://github.com/MISP/MISP/commit/a73c1c461bc6f8a048eae92b5e99823afd892d1e
https://github.com/MISP/MISP/commit/afbe08d256d609eee5195c5b0003cfb723ae7af1
https://github.com/MISP/MISP/compare/v2.4.165...v2.4.166