CRITICAL🇵🇱 Wersja polska

CVE-2024-29859

CVSS 9.8v3.1pub. 2024-03-21upd. 2026-06-22

In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.

🤖 AI Analysis
How it works

The add_misp_export function in app/Controller/EventsController.php does not perform proper verification of uploaded files — it does not correctly check their type or content. An attacker can upload a malicious file (e.g., an executable script) via an HTTP network request without needing authentication. Lack of server-side restrictions allows the payload to be placed and potentially executed in the application context.

Impact

A remote unauthenticated attacker can gain full control over the system — including confidentiality, integrity, and availability of data — which corresponds to the maximum CVSS impact (C:H/I:H/A:H).

Mitigation & patch

MISP should be updated to version 2.4.187 or later. The fix is available in commit 238010bfd004680757b324cba0c6344f77a25399 in the MISP project GitHub repository.

Who is affected

MISP in versions before 2.4.187

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Misp Project Misp

    APP
    Misp-Project
    < 2.4.187
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-56423CRITICAL9.4PL ✓ten sam produkt

MISP: błędna kontrola dostępu w masowym usuwaniu obiektów (CWE-862)

CVE-2026-56447CRITICAL9.3PL ✓ten sam produkt

MISP: RCE przez złośliwy plik konfiguracyjny rdkafka (CWE-829)

CVE-2026-56425CRITICAL9.3PL ✓ten sam produkt

MISP: Wielokrotne słabości implementacji OAuth 2.0 z AAD – session fixation i inne

CVE-2026-44381CRITICAL9.3PL ✓ten sam produkt

SQL Injection w MISP — manipulacja parametrami sortowania zapytań

CVE-2024-29858CRITICAL9.8PL ✓ten sam produkt

MISP: Nieprawidłowa weryfikacja przesyłanego logo organizacji