CVE-2022-48329

CRITICAL
Published Feb 20, 20233y ago · Modified Jun 22, 20261w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Feb 20, 2023 3y ago
Last Modified Jun 22, 2026 1w ago

Description

MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-755

Affected Products 1

VendorProductVersionRange
misp-projectmisp* <2.4.166

References 3

  • github.com https://github.com/MISP/MISP/commit/a73c1c461bc6f8a048eae92b5e99823afd892d1e
    Patch
  • github.com https://github.com/MISP/MISP/commit/afbe08d256d609eee5195c5b0003cfb723ae7af1
    Patch
  • github.com https://github.com/MISP/MISP/compare/v2.4.165...v2.4.166
    Release Notes

Remediation

  • github.com https://github.com/MISP/MISP/commit/a73c1c461bc6f8a048eae92b5e99823afd892d1e
    Patch
  • github.com https://github.com/MISP/MISP/commit/afbe08d256d609eee5195c5b0003cfb723ae7af1
    Patch