CVE-2018-19908
NONE EPSS 96.7%
Published Dec 6, 20187y ago · Modified Jun 22, 20261w ago
Published Dec 6, 2018 7y ago
Last Modified Jun 22, 2026 1w ago
Description
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.
Threat Intelligence
EPSS Exploit Probability
96.7% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-78 OS Command Injection Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| misp-project | misp | * | ≥2.4.90 – <2.4.99 |
References 3
- github.com https://github.com/MISP/MISP/commit/211ac0737281b65e7da160f0aac52f401a94e1a3
- github.com https://github.com/MISP/MISP/releases/tag/v2.4.99
- exploit-db.com https://www.exploit-db.com/exploits/46401/
Remediation
- github.com https://github.com/MISP/MISP/commit/211ac0737281b65e7da160f0aac52f401a94e1a3