ID CVE-2019-12868
Summary app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
References
Vulnerable Configurations
  • cpe:2.3:a:misp:misp:2.4.109:*:*:*:*:*:*:*
    cpe:2.3:a:misp:misp:2.4.109:*:*:*:*:*:*:*
CVSS
Base: 6.5 (as of 18-06-2019 - 20:12)
Impact:
Exploitability:
CWE CWE-502
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:P/A:P
Last major update 18-06-2019 - 20:12
Published 18-06-2019 - 00:15
Back to Top