Published: 06/12/2018 Updated: 19/02/2019
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

Vulnerability Summary

MISP Event.php command execution

An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.

MISP could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by improper validation of filename string for STIX import by the app/Model/Event.php script. By using specially-crafted filename for STIX import, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Access Complexity: LOW
Authentication: SINGLE
Access Vector: NETWORK
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Vulnerability Trend

Mailing Lists

MISP version 2497 suffers from SQL command execution via command injection in the STIX module ...