MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: critical API integrity bug, potentially allowing users to delete attributes of other events 

- a crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an existing attribute
pull/3064/head
iglocska 2018-03-23 11:44:47 +01:00
parent 2c20b30533
commit 37720c38d6
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/Model/Attribute.php
View File

@ -3128,6 +3128,7 @@ class Attribute extends AppModel {
$attribute['data'] = $result['data'];
$attribute['value'] = $attribute['value'] . '|' . $result['md5'];
}
unset($attribute['id']);
if (isset($attribute['uuid'])) {
$existingAttribute = $this->find('first', array(
'conditions' => array('Attribute.uuid' => $attribute['uuid']),