chg: [security] CVEs added

2022-04-21 15:38:22 +02:00 · 2022-04-21 15:38:22 +02:00 · 94674291fc
parent a1922e6e9f
commit 94674291fc
1 changed files with 6 additions and 0 deletions
--- a/content/security.md
+++ b/content/security.md
@ -78,6 +78,12 @@ We firmly believe that, even though unfortunately it is often not regarded as co
 - [CVE-2022-27243](https://cvepremium.circl.lu/cve/CVE-2022-27243) <= MISP 2.4.155 - An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting. 
 - [CVE-2022-27246](https://cvepremium.circl.lu/cve/CVE-2022-27246) <= MISP 2.4.155 - An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default. 
 - [CVE-2022-27244](https://cvepremium.circl.lu/cve/CVE-2022-27244) <= MISP 2.4.155 - An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.   
+- [CVE-2022-29530](https://cvepremium.circl.lu/cve/CVE-2022-29530) < MISP 2.4.158. There is stored XSS in the galaxy clusters.
+- [CVE-2022-29534](https://cvepremium.circl.lu/cve/CVE-2022-29534) < MISP 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.
+- [CVE-2022-29529](https://cvepremium.circl.lu/cve/CVE-2022-29529) < MISP 2.4.158. There is stored XSS via the LinOTP login field.
+- [CVE-2022-29533](https://cvepremium.circl.lu/cve/CVE-2022-29533) < MISP 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page."
+- [CVE-2022-29528](https://cvepremium.circl.lu/cve/CVE-2022-29528) < MISP 2.4.158. PHAR deserialization can occur.
+- [CVE-2022-29531](https://cvepremium.circl.lu/cve/CVE-2022-29531) < MISP 2.4.158. There is stored XSS in the event graph via a tag name.

 ## PGP Key