CVE-2018-19908

HIGH

MISP <2.4.99 - Command Injection

Title source: llm

Description

An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.

Exploits (1)

exploitdb WORKING POC

by Tm9jdGlz · pythonwebappsphp

https://www.exploit-db.com/exploits/46401

View Code ZIP pw:eip

References (3)

[Patch, Third Party Advisory] https://github.com/MISP/MISP/commit/211ac0737281b65e7da160f0aac52f401a94e1a3

[Release Notes, Third Party Advisory] https://github.com/MISP/MISP/releases/tag/v2.4.99

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/46401/

Scores

CVSS v3 8.8

EPSS 0.3371

EPSS Percentile 97.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

misp/misp 2.4.90 - 2.4.99

Published Dec 06, 2018

Tracked Since Feb 18, 2026