CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2018-19908

An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.442

EPSS Ranking 97.4%

CVSS Severity

CVSS v3 Score 8.8

CVSS v2 Score 9.0

References

Products affected by CVE-2018-19908

Misp » Misp » Version: 2.4.90

cpe:2.3:a:misp:misp:2.4.90
Misp » Misp » Version: 2.4.91

cpe:2.3:a:misp:misp:2.4.91
Misp » Misp » Version: 2.4.92

cpe:2.3:a:misp:misp:2.4.92
Misp » Misp » Version: 2.4.93

cpe:2.3:a:misp:misp:2.4.93
Misp » Misp » Version: 2.4.94

cpe:2.3:a:misp:misp:2.4.94
Misp » Misp » Version: 2.4.95

cpe:2.3:a:misp:misp:2.4.95
Misp » Misp » Version: 2.4.96

cpe:2.3:a:misp:misp:2.4.96
Misp » Misp » Version: 2.4.97

cpe:2.3:a:misp:misp:2.4.97
Misp » Misp » Version: 2.4.98

cpe:2.3:a:misp:misp:2.4.98

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2018-19908

Products

Pricing

Contact Us