MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
21,806 Commits
34 Branches
364 Tags
187 MiB
Commit Graph

21806 Commits (a5622c74631892ab882cc0192a048babef49a124)

Author SHA1 Message Date
Jakub Onderka 01c049448f chg: [UI] data-edit-field 2022-04-18 19:54:13 +02:00
Jakub Onderka f280866b53 chg: [UI] Event ID is not required 2022-04-18 19:54:13 +02:00
Jakub Onderka 96d40c6a77 chg: [UI] Link class is not required 2022-04-18 19:54:13 +02:00
Jakub Onderka 8f56190841 chg: [UI] Reduce number of attributes ID in code 2022-04-18 19:54:13 +02:00
Jakub Onderka 46c8a43593 chg: [UI] No need to escape integers 2022-04-18 19:54:13 +02:00
Jakub Onderka e06a881b24 fix: [UI] Fetching object timestamp 2022-04-18 19:54:13 +02:00
Jakub Onderka 1f6b6acdea chg: [UI] Make event page smaller 2022-04-18 19:54:13 +02:00
Jakub Onderka 6a8273d9ee chg: [UI] Cleanup code for object template 2022-04-18 19:54:12 +02:00
Jakub Onderka 559e51e8e0 chg: [UI] Use date helper 2022-04-18 19:54:12 +02:00
Jakub Onderka dbc244f860 chg: [UI] Remove unnecessary div 2022-04-18 19:54:12 +02:00
Jakub Onderka bcfe08c7cf fix: [UI] Correctly update attribute timestamp 2022-04-18 19:54:12 +02:00
Jakub Onderka c6d0737a90 fix: [internal] Validation when editing field 2022-04-18 19:54:12 +02:00
Jakub Onderka 79e911fde0 chg: [UI] Remove unnecessary placeholders from HTML code 2022-04-18 19:54:12 +02:00
Jakub Onderka 50fb96d7b0 fix: [UI] Show correct error message when fetching data 2022-04-18 19:54:12 +02:00
Jakub Onderka 8aea49d926 fix: [view] Remove unused variables 2022-04-18 19:54:12 +02:00
Jakub Onderka d2b5796b56 chg: [internal] Remove unnecessary array_values call 2022-04-18 19:54:12 +02:00
Jakub Onderka 781829cad5 chg: [internal] No need to edit types 2022-04-18 19:54:12 +02:00
iglocska 2688961cc3
Merge branch 'develop' of github.com:MISP/MISP into develop 2022-04-18 17:59:34 +02:00
iglocska 51132cdc67
new: [LS22] added shell to control other MISP instances for the exercise 
- not that interesting for most users, however, it can be used as a basis to build similar scripts
 2022-04-18 17:58:50 +02:00
iglocska ccbd119417
chg: [internal] setupSyncRequest made public 
- to be able to access it via shell scripts
 2022-04-18 17:57:38 +02:00
iglocska 09fe799eea
chg: [security] fixed a non-exploitable way to access arbitrary cakePHP view files 
- via the pages controller, directory traversal was possible
- still restricted to .ctp files, making this not feasible for all intents and purposes

- as reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourg Army
 2022-04-18 02:19:12 +02:00
iglocska 01120163a6
fix: [security] Password confirmation bypass in user edit 
- optional password confirmation can be potentially circumvented
- fooling the user edit via a request that sets accept:application/json whilst posting form content

- as reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourg Army
 2022-04-18 02:00:13 +02:00
iglocska ce6bc88e33
fix: [security] low probability reflected XSS fixed 
- User would need to navigate to a url that contains the payload
- user needs to click on a checkbox in a weird single checkbox page to trigger the exploit

- as reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourg Army
 2022-04-18 01:05:10 +02:00
iglocska 60c85b80e3
fix: [security] XSS in cerebrate view 
- low probability XSS in the cerebrate view's URL field
- a malicious administrator could set a javascript: url
- another administrator would have to click the suspicious looking URL to be affected

- As reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourg Army
 2022-04-18 00:58:31 +02:00
iglocska bb3b7a7e91
fix: [security] stored XSS fixed in event graph 
- unsanitised javascript insertion of tag name in the filters

- as reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourg Army
 2022-04-18 00:49:21 +02:00
iglocska 107e271d78
fix: [security] XSS in galaxy clusters 
- fixed a stored XSS in the galaxy clusters

- as reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourg Army
 2022-04-17 19:12:16 +02:00
iglocska 68a59df77c
fix: [boolean case] fixed uppercasing of the boolean values 
- Javascript != Python
 2022-04-17 19:00:15 +02:00
iglocska 9623de2f5c
fix: [security] XSS in LinOTP login field fixed 
- fixed a stored XSS in the LinOTP login
- also fixed invalid calls to check MISP settings from a javascript scope

- as reported by Dawid Czarnecki of Zigrin Security
 2022-04-17 18:56:45 +02:00
iglocska 93821c0de6
fix: [security] Sanitise paths for several file interactions 
- remove :// anywhere we don't expect a protocol to be supplied
- remove phar:// in certauth plugin's fetcher

- as reported by Dawid Czarnecki of Zigrin Security
 2022-04-17 18:25:51 +02:00
iglocska 0108f1bde2
fix: [security] unregister phar from stream wrappers globally for all Model code 
- blanket protection against phar deserialization vulnerabilities

- as reported by Dawid Czarnecki of Zigrin Security
 2022-04-17 16:30:14 +02:00
Jakub Onderka 9d2ed56906 chg: [internal] Remove not used mapping variable 2022-04-15 18:13:58 +02:00
Jakub Onderka ceaed9533d fix: [internal] Remove unnecessary loadModel 2022-04-15 18:13:21 +02:00
iglocska 3e706867e9
new: [emailing] add custom templates to override existing ones 
- currently implemented for event publish alerts and user enrollment (password_reset.ctp, alert.ctp)
- simply place the new templates in MISP/app/View/Emails/[text|html]/Custom
 2022-04-15 16:28:36 +02:00
Jakub Onderka ecdba477ab chg: [js] Simplify `freetextImportResultsSubmit` function 2022-04-15 16:14:52 +02:00
Jakub Onderka dc6c20b11f chg: [internal] Do not fetch object info when fetching related attributes 2022-04-15 16:14:07 +02:00
Jakub Onderka 104ea79afc chg: [internal] Simplify and speedup code for freetext importing 2022-04-15 14:31:17 +02:00
Luciano Righetti 204ec386b2
Merge pull request #8277 from tomking2/feature/restSearch_SharingGroup 
Add in new RestAPI parameter to filter by sharing group on Event or Attribute search
 2022-04-14 17:25:59 +02:00
Tom King 37ea0ddee1 chg: Add in new RestAPI parameter to filter by sharing group on Event or Attribute search 2022-04-13 16:27:20 +01:00
Jakub Onderka 5e35c7052a
Merge pull request #8276 from JakubOnderka/fix-undefined-index-vol2 
fix: [UI] Undefined index: perm_site_admin
 2022-04-13 17:23:45 +02:00
Jakub Onderka 003fee8f6c fix: [UI] Undefined index: perm_site_admin 2022-04-13 15:02:11 +02:00
Jakub Onderka 745299fa3f
Merge pull request #8273 from JakubOnderka/fix-taxonomy-toggle 
fix: [UI] Mark checkbox as disabled when user has no permission
 2022-04-13 14:15:46 +02:00
Jakub Onderka bebe530d38
Merge pull request #8274 from JakubOnderka/fix-show-warning 
fix: [UI] Show warnings
 2022-04-13 14:08:46 +02:00
Jakub Onderka 473f0b380d chg: [UI] Remove box-shadow for warning 2022-04-13 11:00:40 +02:00
Jakub Onderka 789d775d5a fix: [UI] Show warnings 2022-04-13 09:28:16 +02:00
Jakub Onderka 389ea222ea new: [test] test_taxonomy_export 2022-04-13 09:05:31 +02:00
Jakub Onderka 274e427ce3 chg: [internal] Better logging for taxonomies 2022-04-11 14:18:23 +02:00
Jakub Onderka c8ed71bf40 fix: [UI] Mark checkbox as disabled when user has no permission 2022-04-11 13:57:25 +02:00
Luciano Righetti 3dc5090b59 chg: upgrade moment.js to v2.29.2 2022-04-11 08:59:37 +02:00
Luciano Righetti 384fd6ba79
Merge pull request #8271 from righel/upgrade-moment-js 
chg: upgrade moment.js to v2.29.2
 2022-04-11 08:57:09 +02:00
Luciano Righetti 035b6b282e chg: upgrade moment.js to v2.29.2 2022-04-11 08:44:57 +02:00