Vulnerability CVE-2018-19908


Published: 2018-12-06

Description:
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
MISP 2.4.97 SQL Injection / Command Injection
Tm9jdGlz
19.02.2019

Type:

CWE-77

(Improper Neutralization of Special Elements used in a Command ('Command Injection'))

Vendor: MISP
Product: MISP 
Version:
2.4.98
2.4.97
2.4.96
2.4.95
2.4.94
2.4.93
2.4.92
2.4.91
2.4.90

CVSS2 => (AV:N/AC:L/Au:S/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9/10
10/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
https://github.com/MISP/MISP/commit/211ac0737281b65e7da160f0aac52f401a94e1a3
https://github.com/MISP/MISP/releases/tag/v2.4.99
https://www.exploit-db.com/exploits/46401/

Related CVE
CVE-2019-12868
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
CVE-2019-12794
An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situati...
CVE-2019-11814
An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot.
CVE-2019-11813
An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links.
CVE-2019-11812
A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link.
CVE-2019-10254
In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability.
CVE-2019-9482
In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / ...
CVE-2018-12649
An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POS...

Copyright 2019, cxsecurity.com

 

Back to Top