- navigating to a url in MISP with the URL containing a javascript payload would cause the execution of reflected xss
- automatically sanitised by modern browsers, but still confirmed via raw curl fetches
- simply add values at /exclude_correlations
- new values coming in will not correlate if they trip over the values listed there
- to remove existing correlations run the cleaner tool on the above endpoint
- values can be 1:1 matches, or substring searches (denoted with a leading, ending, or both '%')
- https://www.google.com/% will match anything starting with https://www.google.com/
- %google.com% will match anything that contains google.com
- Added aria label and role for the representation of booleans in generic index tables,
- Fixed Aria label for actions in generic index tables,
- Set titles for actions in the admin user index table,
- Added a few missing aria labels in the global menu.
- also added a new special permission for the ACL system host_org_user - which will evaluate whether the user is in the org configured in the MISP.host_org_id directive
- a user could be lured into setting a MISP home-page outside of the MISP baseurl
- switched the endpoint to be CSRF protection enabled
- as discovered by Mislav Božičević <mislav.bozicevic@nn.cz>
- add simple tag filters to block events from being added.
- it will not stop a manual creation of an event with subsequent adding of the tag in a later stage
- it will however block synced events
- user self-registration is the first use-case
- if the feature is enabled, users can unauthenticated send a registration request to MISP
- request includes information on desired org and some privileges (sync / org admin / publisher)
- requests land in the inbox, admins can inspect the registration requests
- they can accept/discard them individually or en masse
- users will be notified of their credentials automatically
- quick user creation if the user asks for an org that doesn't exist yet
- Dashboard
- modular similar to restSearch
- build your own widgets
- use a set of visualisation options (more coming!)
- full access to internal functions for queries
- auto discover core and 3rd party widgets
- rearrange / configure widgets for each user individually
- rearrange / resize widgets
- settings can be configured by a site-admin on behalf of others
- modules have a self-explain mode to guide users
- caching mechanism for the modules / org
- set homepage / user
- various other fixes
- Added configuration tool
- Added lookups from the event view
- Added includeSightingdb flag for the restSearch searches
- Added SightingDB search tool
- Added SightingDB connection test tool