An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter.

app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes.