mirror of https://github.com/MISP/MISP
fix: critical API integrity bug, potentially allowing users to delete attributes of other events
- a crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an existing attributepull/3064/head
parent
2c20b30533
commit
37720c38d6
|
@ -3128,6 +3128,7 @@ class Attribute extends AppModel {
|
|||
$attribute['data'] = $result['data'];
|
||||
$attribute['value'] = $attribute['value'] . '|' . $result['md5'];
|
||||
}
|
||||
unset($attribute['id']);
|
||||
if (isset($attribute['uuid'])) {
|
||||
$existingAttribute = $this->find('first', array(
|
||||
'conditions' => array('Attribute.uuid' => $attribute['uuid']),
|
||||
|
|
Loading…
Reference in New Issue