In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.
The add_misp_export function in app/Controller/EventsController.php does not perform proper verification of uploaded files — it does not correctly check their type or content. An attacker can upload a malicious file (e.g., an executable script) via an HTTP network request without needing authentication. Lack of server-side restrictions allows the payload to be placed and potentially executed in the application context.
A remote unauthenticated attacker can gain full control over the system — including confidentiality, integrity, and availability of data — which corresponds to the maximum CVSS impact (C:H/I:H/A:H).
MISP should be updated to version 2.4.187 or later. The fix is available in commit 238010bfd004680757b324cba0c6344f77a25399 in the MISP project GitHub repository.
MISP in versions before 2.4.187
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMisp Project Misp
APPMisp-Project< 2.4.187
Related vulnerabilities
MISP: błędna kontrola dostępu w masowym usuwaniu obiektów (CWE-862)
MISP: RCE przez złośliwy plik konfiguracyjny rdkafka (CWE-829)
MISP: Wielokrotne słabości implementacji OAuth 2.0 z AAD – session fixation i inne
SQL Injection w MISP — manipulacja parametrami sortowania zapytań
MISP: Nieprawidłowa weryfikacja przesyłanego logo organizacji