{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "2.4.90"
              },
              {
                "fixed": "2.4.99"
              }
            ]
          },
          "events": [
            {
              "introduced": "4a72c1b66900239c3c9fc875cd3bdb4d9d4e81d9"
            },
            {
              "fixed": "c1ad4abf8ff8c3d0bae8666c1ce27d68a217a983"
            },
            {
              "fixed": "211ac0737281b65e7da160f0aac52f401a94e1a3"
            }
          ],
          "repo": "https://github.com/misp/misp",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.",
  "id": "CVE-2018-19908",
  "modified": "2026-03-13T21:54:49.189616085Z",
  "published": "2018-12-06T16:29:00.290Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/MISP/MISP/releases/tag/v2.4.99"
    },
    {
      "type": "FIX",
      "url": "https://github.com/MISP/MISP/commit/211ac0737281b65e7da160f0aac52f401a94e1a3"
    },
    {
      "type": "EVIDENCE",
      "url": "https://www.exploit-db.com/exploits/46401/"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}