Jakub Onderka
01c049448f
chg: [UI] data-edit-field
2022-04-18 19:54:13 +02:00
Jakub Onderka
f280866b53
chg: [UI] Event ID is not required
2022-04-18 19:54:13 +02:00
Jakub Onderka
96d40c6a77
chg: [UI] Link class is not required
2022-04-18 19:54:13 +02:00
Jakub Onderka
8f56190841
chg: [UI] Reduce number of attributes ID in code
2022-04-18 19:54:13 +02:00
Jakub Onderka
46c8a43593
chg: [UI] No need to escape integers
2022-04-18 19:54:13 +02:00
Jakub Onderka
e06a881b24
fix: [UI] Fetching object timestamp
2022-04-18 19:54:13 +02:00
Jakub Onderka
1f6b6acdea
chg: [UI] Make event page smaller
2022-04-18 19:54:13 +02:00
Jakub Onderka
6a8273d9ee
chg: [UI] Cleanup code for object template
2022-04-18 19:54:12 +02:00
Jakub Onderka
559e51e8e0
chg: [UI] Use date helper
2022-04-18 19:54:12 +02:00
Jakub Onderka
dbc244f860
chg: [UI] Remove unnecessary div
2022-04-18 19:54:12 +02:00
Jakub Onderka
bcfe08c7cf
fix: [UI] Correctly update attribute timestamp
2022-04-18 19:54:12 +02:00
Jakub Onderka
c6d0737a90
fix: [internal] Validation when editing field
2022-04-18 19:54:12 +02:00
Jakub Onderka
79e911fde0
chg: [UI] Remove unnecessary placeholders from HTML code
2022-04-18 19:54:12 +02:00
Jakub Onderka
50fb96d7b0
fix: [UI] Show correct error message when fetching data
2022-04-18 19:54:12 +02:00
Jakub Onderka
8aea49d926
fix: [view] Remove unused variables
2022-04-18 19:54:12 +02:00
Jakub Onderka
d2b5796b56
chg: [internal] Remove unnecessary array_values call
2022-04-18 19:54:12 +02:00
Jakub Onderka
781829cad5
chg: [internal] No need to edit types
2022-04-18 19:54:12 +02:00
iglocska
2688961cc3
Merge branch 'develop' of github.com:MISP/MISP into develop
2022-04-18 17:59:34 +02:00
iglocska
51132cdc67
new: [LS22] added shell to control other MISP instances for the exercise
...
- not that interesting for most users, however, it can be used as a basis to build similar scripts
2022-04-18 17:58:50 +02:00
iglocska
ccbd119417
chg: [internal] setupSyncRequest made public
...
- to be able to access it via shell scripts
2022-04-18 17:57:38 +02:00
iglocska
09fe799eea
chg: [security] fixed a non-exploitable way to access arbitrary cakePHP view files
...
- via the pages controller, directory traversal was possible
- still restricted to .ctp files, making this not feasible for all intents and purposes
- as reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourg Army
2022-04-18 02:19:12 +02:00
iglocska
01120163a6
fix: [security] Password confirmation bypass in user edit
...
- optional password confirmation can be potentially circumvented
- fooling the user edit via a request that sets accept:application/json whilst posting form content
- as reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourg Army
2022-04-18 02:00:13 +02:00
iglocska
ce6bc88e33
fix: [security] low probability reflected XSS fixed
...
- User would need to navigate to a url that contains the payload
- user needs to click on a checkbox in a weird single checkbox page to trigger the exploit
- as reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourg Army
2022-04-18 01:05:10 +02:00
iglocska
60c85b80e3
fix: [security] XSS in cerebrate view
...
- low probability XSS in the cerebrate view's URL field
- a malicious administrator could set a javascript: url
- another administrator would have to click the suspicious looking URL to be affected
- As reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourg Army
2022-04-18 00:58:31 +02:00
iglocska
bb3b7a7e91
fix: [security] stored XSS fixed in event graph
...
- unsanitised javascript insertion of tag name in the filters
- as reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourg Army
2022-04-18 00:49:21 +02:00
iglocska
107e271d78
fix: [security] XSS in galaxy clusters
...
- fixed a stored XSS in the galaxy clusters
- as reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourg Army
2022-04-17 19:12:16 +02:00
iglocska
68a59df77c
fix: [boolean case] fixed uppercasing of the boolean values
...
- Javascript != Python
2022-04-17 19:00:15 +02:00
iglocska
9623de2f5c
fix: [security] XSS in LinOTP login field fixed
...
- fixed a stored XSS in the LinOTP login
- also fixed invalid calls to check MISP settings from a javascript scope
- as reported by Dawid Czarnecki of Zigrin Security
2022-04-17 18:56:45 +02:00
iglocska
93821c0de6
fix: [security] Sanitise paths for several file interactions
...
- remove :// anywhere we don't expect a protocol to be supplied
- remove phar:// in certauth plugin's fetcher
- as reported by Dawid Czarnecki of Zigrin Security
2022-04-17 18:25:51 +02:00
iglocska
0108f1bde2
fix: [security] unregister phar from stream wrappers globally for all Model code
...
- blanket protection against phar deserialization vulnerabilities
- as reported by Dawid Czarnecki of Zigrin Security
2022-04-17 16:30:14 +02:00
Jakub Onderka
9d2ed56906
chg: [internal] Remove not used mapping variable
2022-04-15 18:13:58 +02:00
Jakub Onderka
ceaed9533d
fix: [internal] Remove unnecessary loadModel
2022-04-15 18:13:21 +02:00
iglocska
3e706867e9
new: [emailing] add custom templates to override existing ones
...
- currently implemented for event publish alerts and user enrollment (password_reset.ctp, alert.ctp)
- simply place the new templates in MISP/app/View/Emails/[text|html]/Custom
2022-04-15 16:28:36 +02:00
Jakub Onderka
ecdba477ab
chg: [js] Simplify `freetextImportResultsSubmit` function
2022-04-15 16:14:52 +02:00
Jakub Onderka
dc6c20b11f
chg: [internal] Do not fetch object info when fetching related attributes
2022-04-15 16:14:07 +02:00
Jakub Onderka
104ea79afc
chg: [internal] Simplify and speedup code for freetext importing
2022-04-15 14:31:17 +02:00
Luciano Righetti
204ec386b2
Merge pull request #8277 from tomking2/feature/restSearch_SharingGroup
...
Add in new RestAPI parameter to filter by sharing group on Event or Attribute search
2022-04-14 17:25:59 +02:00
Tom King
37ea0ddee1
chg: Add in new RestAPI parameter to filter by sharing group on Event or Attribute search
2022-04-13 16:27:20 +01:00
Jakub Onderka
5e35c7052a
Merge pull request #8276 from JakubOnderka/fix-undefined-index-vol2
...
fix: [UI] Undefined index: perm_site_admin
2022-04-13 17:23:45 +02:00
Jakub Onderka
003fee8f6c
fix: [UI] Undefined index: perm_site_admin
2022-04-13 15:02:11 +02:00
Jakub Onderka
745299fa3f
Merge pull request #8273 from JakubOnderka/fix-taxonomy-toggle
...
fix: [UI] Mark checkbox as disabled when user has no permission
2022-04-13 14:15:46 +02:00
Jakub Onderka
bebe530d38
Merge pull request #8274 from JakubOnderka/fix-show-warning
...
fix: [UI] Show warnings
2022-04-13 14:08:46 +02:00
Jakub Onderka
473f0b380d
chg: [UI] Remove box-shadow for warning
2022-04-13 11:00:40 +02:00
Jakub Onderka
789d775d5a
fix: [UI] Show warnings
2022-04-13 09:28:16 +02:00
Jakub Onderka
389ea222ea
new: [test] test_taxonomy_export
2022-04-13 09:05:31 +02:00
Jakub Onderka
274e427ce3
chg: [internal] Better logging for taxonomies
2022-04-11 14:18:23 +02:00
Jakub Onderka
c8ed71bf40
fix: [UI] Mark checkbox as disabled when user has no permission
2022-04-11 13:57:25 +02:00
Luciano Righetti
3dc5090b59
chg: upgrade moment.js to v2.29.2
2022-04-11 08:59:37 +02:00
Luciano Righetti
384fd6ba79
Merge pull request #8271 from righel/upgrade-moment-js
...
chg: upgrade moment.js to v2.29.2
2022-04-11 08:57:09 +02:00
Luciano Righetti
035b6b282e
chg: upgrade moment.js to v2.29.2
2022-04-11 08:44:57 +02:00