QwikSec

Security Database

CVE

CWE

Training

CVE-2018-19908

Published: Dec 6, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/MISP/MISP/commit/211ac0737281b65e7da160f0aac52f401a94e1a3

x_refsource_MISC

https://github.com/MISP/MISP/releases/tag/v2.4.99

x_refsource_MISC

exploit

x_refsource_EXPLOIT-DB

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.