MISP Event.php command execution
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.
MISP could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by improper validation of filename string for STIX import by the app/Model/Event.php script. By using specially-crafted filename for STIX import, an attacker could exploit this vulnerability to execute arbitrary commands on the system.