In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.
The __uploadLogo function in the file app/Controller/OrganisationsController.php does not properly verify whether the uploaded file is actually a valid image file. The lack of proper validation (CWE-616 — improper validation of uploaded files) allows an attacker to upload a file with malicious content instead of a legitimate logo image. This can lead to execution of uploaded code on the server side or other harmful actions.
An attacker can gain full control over the system, including confidentiality, integrity, and availability of data, corresponding to maximum values of CVSS components (C:H/I:H/A:H). A successful attack may result in unauthorized access to MISP platform data and potential server takeover.
MISP should be updated to version 2.4.187 or newer. The patch is available in the MISP GitHub repository in commit 6a2986be6aad6b37858b4869e238f517b295c111.
MISP in all versions prior to 2.4.187
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMisp Project Misp
APPMisp-Project< 2.4.187
Related vulnerabilities
MISP: błędna kontrola dostępu w masowym usuwaniu obiektów (CWE-862)
MISP: RCE przez złośliwy plik konfiguracyjny rdkafka (CWE-829)
MISP: Wielokrotne słabości implementacji OAuth 2.0 z AAD – session fixation i inne
SQL Injection w MISP — manipulacja parametrami sortowania zapytań
MISP: Nieprawidłowa walidacja uploadu pliku umożliwia RCE