secvisogram/csaf-cms-backend

Missing UUID Validation

Closed this issue · 0 comments

tschmidtb51 commented

The following API endpoints do not check that the submitted advisory IDs are valid UUIDs (i.e. do not invoke the method checkValidUuid(advisoryId)):

  • /{advisoryId}/workflowstate/Review
  • /{advisoryId}/workflowstate/Approved
  • /{advisoryId}/workflowstate/RfPublication
  • /{advisoryId}/workflowstate/Published
  • /{advisoryId}/createNewVersion
  • /{advisoryId}/comments

Note: The missing validation could not be exploited.

_ Originally posted by @pdamian_