From 039e3c04f4a0efb45c5a2534b394d0ddac83184e Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Fri, 17 Nov 2023 09:11:42 +0100
Subject: [PATCH] chg: [security] 5 CVEs added (pre 2.4.176)

---
 content/security.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/content/security.md b/content/security.md
index 74fde07..2e87715 100755
--- a/content/security.md
+++ b/content/security.md
@@ -98,6 +98,11 @@ We firmly believe that, even though unfortunately it is often not regarded as co
 - [CVE-2023-37306](https://cvepremium.circl.lu/cve/CVE-2023-37306) < MISP 2.4.173 - MISP 2.4.172 mishandles different certificate file extensions in server sync. An attacker can obtain sensitive information because of the nature of the error messages.  
 - [CVE-2023-40224](https://cvepremium.circl.lu/cve/CVE-2023-40224) <= MISP 2.4.174 - allows XSS in app/View/Events/index.ctp. (reported by BeDisruptive OSS Team)
 - [CVE-2023-41098](https://cvepremium.circl.lu/cve/CVE-2023-41098) <= MISP 2.4.174 - In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit. 
+- [CVE-2023-48656](https://cvepremium.circl.lu/cve/CVE-2023-48656) < MISP 2.4.176 - An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles order clauses.
+- [CVE-2023-48655](https://cvepremium.circl.lu/cve/CVE-2023-48655) < MISP 2.4.176 - An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query parameters. 
+- [CVE-2023-48657](https://cvepremium.circl.lu/cve/CVE-2023-48657) < MISP 2.4.176 - An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles filters. 
+- [CVE-2023-48659](https://cvepremium.circl.lu/cve/CVE-2023-48659) < MISP 2.4.176 - An issue was discovered in MISP before 2.4.176. app/Controller/AppController.php mishandles parameter parsing.
+- [CVE-2023-48658](https://cvepremium.circl.lu/cve/CVE-2023-48658) < MISP 2.4.176 - An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php lacks a checkParam function for alphanumerics, underscore, dash, period, and space. 
 
 ## PGP Key