Headline
CVE-2023-49926: security: [event:event-timeline] Fixed XSS in the event timeline widget · MISP/MISP@dc73287
app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget.
Expand Up @@ -97,7 +97,7 @@ public function get_timeline($id) $toPush = array( ‘id’ => $attr[‘id’], ‘uuid’ => $attr[‘uuid’], ‘content’ => $attr[‘value’], ‘content’ => h($attr[‘value’]), ‘event_id’ => $attr[‘event_id’], ‘group’ => 'attribute’, ‘timestamp’ => $attr[‘timestamp’], Expand All @@ -114,9 +114,9 @@ public function get_timeline($id) $toPush_obj = array( ‘id’ => $obj[‘id’], ‘uuid’ => $obj[‘uuid’], ‘content’ => $obj[‘name’], ‘content’ => h($obj[‘name’]), ‘group’ => 'object’, ‘meta-category’ => $obj[‘meta-category’], ‘meta-category’ => h($obj[‘meta-category’]), ‘template_uuid’ => $obj[‘template_uuid’], ‘event_id’ => $obj[‘event_id’], ‘timestamp’ => $obj[‘timestamp’], Expand All @@ -140,8 +140,8 @@ public function get_timeline($id) $toPush_attr = array( ‘id’ => $obj_attr[‘id’], ‘uuid’ => $obj_attr[‘uuid’], ‘content’ => $obj_attr[‘value’], ‘contentType’ => $obj_attr[‘object_relation’], ‘content’ => h($obj_attr[‘value’]), ‘contentType’ => h($obj_attr[‘object_relation’]), ‘event_id’ => $obj_attr[‘event_id’], ‘group’ => 'object_attribute’, ‘timestamp’ => $obj_attr[‘timestamp’], Expand Down Expand Up @@ -206,7 +206,7 @@ public function get_sighting_timeline($id) ‘attribute_id’ => $attributeId, ‘id’ => sprintf('%s-%s’, $attributeId, $sighting[‘id’]), ‘uuid’ => $sighting[‘uuid’], ‘content’ => $attribute[‘value’], ‘content’ => h($attribute[‘value’]), ‘event_id’ => $attribute[‘event_id’], ‘group’ => $group, ‘timestamp’ => $attribute[‘timestamp’], Expand Down Expand Up @@ -235,7 +235,7 @@ public function get_sighting_timeline($id) ‘attribute_id’ => $attributeId, ‘id’ => sprintf('%s-%s’, $attributeId, $sighting[‘id’]), ‘uuid’ => $sighting[‘uuid’], ‘content’ => $attribute[‘value’], ‘content’ => h($attribute[‘value’]), ‘event_id’ => $attribute[‘event_id’], ‘group’ => 'sighting_positive’, ‘timestamp’ => $attribute[‘timestamp’], Expand All @@ -255,7 +255,7 @@ public function get_sighting_timeline($id) ‘attribute_id’ => $attributeId, ‘id’ => sprintf('%s-%s’, $attributeId, $sighting[‘id’]), ‘uuid’ => $fpSighting[‘uuid’], ‘content’ => $attribute[‘value’], ‘content’ => h($attribute[‘value’]), ‘event_id’ => $attribute[‘event_id’], ‘group’ => 'sighting_negative’, ‘timestamp’ => $attribute[‘timestamp’], Expand All @@ -279,7 +279,7 @@ public function get_sighting_timeline($id) ‘attribute_id’ => $attributeId, ‘id’ => sprintf('%s-%s’, $attributeId, $sighting[‘id’]), ‘uuid’ => $fpSighting[‘uuid’], ‘content’ => $attribute[‘value’], ‘content’ => h($attribute[‘value’]), ‘event_id’ => $attribute[‘event_id’], ‘group’ => 'sighting_negative’, ‘timestamp’ => $attribute[‘timestamp’], Expand Down