9
CVSSv2

CVE-2018-19908

Published: 06/12/2018 Updated: 04/03/2019
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 885
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Vulnerability Summary

An issue exists in MISP 2.4.9x prior to 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.

Vulnerability Trend

Affected Products

Vendor Product Versions
MispMisp2.4.90, 2.4.91, 2.4.92, 2.4.93, 2.4.94, 2.4.95, 2.4.96, 2.4.97, 2.4.98

Mailing Lists

MISP version 2497 suffers from SQL command execution via command injection in the STIX module ...