From eab5a367e79e3b273649a1161064fe7d50efaf39 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Mon, 20 Sep 2021 16:57:52 +0200
Subject: [PATCH] chg: [security] CVE-2021-41326 added

---
 _pages/security.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/_pages/security.md b/_pages/security.md
index 447c8c7..9104c99 100755
--- a/_pages/security.md
+++ b/_pages/security.md
@@ -73,6 +73,7 @@ We firmly believe that, even though unfortunately it is often not regarded as co
 - [CVE-2021-37742](https://cvepremium.circl.lu/cve/CVE-2021-37742) <= MISP 2.4.147 - app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships.
 - [CVE-2021-37743](https://cvepremium.circl.lu/cve/CVE-2021-37743) <= MISP 2.4.147 - app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.
 - [CVE-2021-39302](https://cvepremium.circl.lu/cve/CVE-2021-39302) <= MISP 2.4.148 - MISP in certain configurations, when used with PostgreSQL (which is not a default configuration), allows SQL injection via the app/Model/Log.php $conditions['org'] value.
+- [CVE-2021-41326](https://cvepremium.circl.lu/cve/CVE-2021-41326) < MISP 2.4.148 -  app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.
 
 
 ## PGP Key