CVE-2018-19908

MISP/MISP

on github

Published

December 6, 2018

Severity

CVSS v3:

8.8 HIGH

CVSS v2:

9 HIGH

Description

An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.

References

https://github.com/MISP/MISP/releases/tag/v2.4.99
https://github.com/MISP/MISP/commit/211ac0737281b65e7da160f0aac52f401a94e1a3
https://www.exploit-db.com/exploits/46401/

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:misp:misp::::::::	2.4.90 (including)	2.4.99	*

External Links

NVD - CVE-2018-19908