CRITICAL🇵🇱 Wersja polska

CVE-2024-29858

CVSS 9.8v3.1pub. 2024-03-21upd. 2026-06-22

In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.

🤖 AI Analysis
How it works

The __uploadLogo function in the file app/Controller/OrganisationsController.php does not properly verify whether the uploaded file is actually a valid image file. The lack of proper validation (CWE-616 — improper validation of uploaded files) allows an attacker to upload a file with malicious content instead of a legitimate logo image. This can lead to execution of uploaded code on the server side or other harmful actions.

Impact

An attacker can gain full control over the system, including confidentiality, integrity, and availability of data, corresponding to maximum values of CVSS components (C:H/I:H/A:H). A successful attack may result in unauthorized access to MISP platform data and potential server takeover.

Mitigation & patch

MISP should be updated to version 2.4.187 or newer. The patch is available in the MISP GitHub repository in commit 6a2986be6aad6b37858b4869e238f517b295c111.

Who is affected

MISP in all versions prior to 2.4.187

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Misp Project Misp

    APP
    Misp-Project
    < 2.4.187
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-56423CRITICAL9.4PL ✓ten sam produkt

MISP: błędna kontrola dostępu w masowym usuwaniu obiektów (CWE-862)

CVE-2026-56447CRITICAL9.3PL ✓ten sam produkt

MISP: RCE przez złośliwy plik konfiguracyjny rdkafka (CWE-829)

CVE-2026-56425CRITICAL9.3PL ✓ten sam produkt

MISP: Wielokrotne słabości implementacji OAuth 2.0 z AAD – session fixation i inne

CVE-2026-44381CRITICAL9.3PL ✓ten sam produkt

SQL Injection w MISP — manipulacja parametrami sortowania zapytań

CVE-2024-29859CRITICAL9.8PL ✓ten sam produkt

MISP: Nieprawidłowa walidacja uploadu pliku umożliwia RCE