From 3908439e0ac1f4482dc7dde37265a9931784c7ac Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 20 Nov 2020 10:52:18 +0100 Subject: [PATCH] chg: [security] CVE-2020-28947 updated --- _pages/security.md | 1 + 1 file changed, 1 insertion(+) diff --git a/_pages/security.md b/_pages/security.md index 22666b0..3eac271 100755 --- a/_pages/security.md +++ b/_pages/security.md @@ -59,6 +59,7 @@ We firmly believe that, even though unfortunately it is often not regarded as co - [CVE-2020-15412](https://cve.circl.lu/cve/CVE-2020-15412) <= MISP 2.4.128 - An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to send an event contact form. - [CVE-2020-25766](https://cve.circl.lu/cve/CVE-2020-25766) <= MISP 2.4.131 - An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login page. - [CVE-2020-28043](https://cve.circl.lu/cve/CVE-2020-28043) <= MISP 2.4.133 - MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL. +- [CVE-2020-28947](https://cve.circl.lu/cve/CVE-2020-28947) <= MISP 2.4.134 - In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled. ## PGP Key