From ebeba307c3d1cdf832d22a0163adf78e30bcd0b2 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Tue, 10 Mar 2020 09:14:33 +0100
Subject: [PATCH] chg: [security]  CVE-2020-10247 and CVE-2020-10246 added

---
 _pages/security.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/_pages/security.md b/_pages/security.md
index 84231b9..edca2d3 100755
--- a/_pages/security.md
+++ b/_pages/security.md
@@ -46,7 +46,8 @@ As one of the critical user-bases of MISP consists of the CSIRT community, it is
 - [CVE-2020-8892](https://cve.circl.lu/cve/CVE-2020-8892) <= MISP 2.4.120 - An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests.
 - [CVE-2020-8893](https://cve.circl.lu/cve/CVE-2020-8893) <= MISP 2.4.120 - An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp.
 - [CVE-2020-8894](https://cve.circl.lu/cve/CVE-2020-8894) <= MISP 2.4.120 - An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php.
-
+- [CVE-2020-10246](https://cve.circl.lu/cve/CVE-2020-10246) <= MISP 2.4.122 - Reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp.
+- [CVE-2020-10247](https://cve.circl.lu/cve/CVE-2020-10247) <= MISP 2.4.122 - Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp.
 
 
 ## PGP Key