fix: CVEs added

pull/4/head
Alexandre Dulaunoy 2018-03-24 09:50:45 +01:00
parent 107de7df38
commit dc42680b77
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 2 additions and 2 deletions

View File

@ -20,8 +20,8 @@ The API was significantly improved including changes such as attribute UUID in a
Two security bugs were fixed: Two security bugs were fixed:
- Sanitisation is now properly done from misp-modules especially to avoid XSS from potential malicious expansion modules. - Sanitisation is now properly done from misp-modules especially to avoid XSS from potential malicious expansion modules. [CVE-2018-8948](https://cve.circl.lu/cve/CVE-2018-8948)
- An API integrity bug where an authenticated user could edit and overwrite an attribute without the UUID set. - An API integrity bug where an authenticated user could edit and overwrite an attribute without the UUID set. [CVE-2018-8949](https://cve.circl.lu/cve/CVE-2018-8949)
Another important fix was applied to the object handler to remedy a situation where under specific conditions could be overwritten. A recovery tool has been added in the diagnostics page. Another important fix was applied to the object handler to remedy a situation where under specific conditions could be overwritten. A recovery tool has been added in the diagnostics page.