CVE-2019-12868
published 2019-06-18CVE-2019-12868: app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled…
PriorityP344high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EPSS
3.43%
87.5th percentile
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| misp-project | misp | — | — |
CVSS provenance
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MISP 2.4.109 app/Model/Server.php file_exists deserialization
vuldb·2026-06-23·CVSS 7.2
CVE-2019-12868 [HIGH] MISP 2.4.109 app/Model/Server.php file_exists deserialization
A vulnerability has been found in MISP 2.4.109 and classified as critical. This vulnerability affects the function file_exists of the file app/Model/Server.php. The manipulation leads to deserialization.
This vulnerability is documented as CVE-2019-12868. The attack can be initiated remotely. There is not any exploit available.
GHSA
GHSA-p73m-v6fq-jvc8: app/Model/Server
ghsa_unreviewed·2022-05-24
CVE-2019-12868 [HIGH] CWE-502 GHSA-p73m-v6fq-jvc8: app/Model/Server
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/MISP/MISP/commit/c42c5fe92783dd306b7600db1f6a25324445b40chttps://zigrin.com/advisories/misp-command-injection-via-phar-deserialization/https://github.com/MISP/MISP/commit/c42c5fe92783dd306b7600db1f6a25324445b40chttps://zigrin.com/advisories/misp-command-injection-via-phar-deserialization/
2019-06-18
Published