CVE-2018-19908

NONE EPSS 96.7%
Published Dec 6, 20187y ago · Modified Jun 22, 20261w ago
Find Similar
Published Dec 6, 2018 7y ago
Last Modified Jun 22, 2026 1w ago

Description

An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.

Threat Intelligence

EPSS Exploit Probability
96.7% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

Affected Products 1

VendorProductVersionRange
misp-projectmisp*≥2.4.90  –  <2.4.99

References 3

  • github.com https://github.com/MISP/MISP/commit/211ac0737281b65e7da160f0aac52f401a94e1a3
    PatchThird Party Advisory
  • github.com https://github.com/MISP/MISP/releases/tag/v2.4.99
    Release NotesThird Party Advisory
  • exploit-db.com https://www.exploit-db.com/exploits/46401/
    ExploitThird Party AdvisoryVDB Entry

Remediation

  • github.com https://github.com/MISP/MISP/commit/211ac0737281b65e7da160f0aac52f401a94e1a3
    PatchThird Party Advisory