CVE-2018-19908

Name of the Vulnerable Software and Affected Versions MISP versions 2.4.9x through 2.4.98

Description An issue was discovered in the STIX 1 import code of MISP, where an unescaped filename string is used to construct a shell command. This can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.

Recommendations For MISP versions 2.4.9x through 2.4.98, update to version 2.4.99 or later to resolve the issue. As a temporary workaround, consider restricting access to the STIX import functionality to minimize the risk of exploitation.