From c96e9d2fe5e0fbea1da4059264e4da269889f55d Mon Sep 17 00:00:00 2001
From: Maxime Rainville <maxime@silverstripe.com>
Date: Thu, 9 Jul 2020 22:26:40 +1200
Subject: [PATCH] [CVE-2020-9311] Add public disclosure statement to changelog

---
 docs/en/04_Changelogs/3.7.5.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docs/en/04_Changelogs/3.7.5.md b/docs/en/04_Changelogs/3.7.5.md
index e2f601c85..7458de641 100644
--- a/docs/en/04_Changelogs/3.7.5.md
+++ b/docs/en/04_Changelogs/3.7.5.md
@@ -1,6 +1,7 @@
 # 3.7.5
 
 * [CVE-2019-19326 Web Cache Poisoning](#CVE-2019-19326)
+* [CVE-2020-9311 Malicious user profile information can cause login form XSS](#CVE-2020-9311)
 
 ## CVE-2019-19326 Web Cache Poisoning {#CVE-2019-19326}
 
@@ -63,6 +64,15 @@ To learn more about middleware:
 * read the [PSR-15: HTTP Server Request Handlers](https://www.php-fig.org/psr/psr-15/) standard
 * read the [Silverstripe 4 documentation about HTTP Middlewares](https://docs.silverstripe.org/en/4/developer_guides/controllers/middlewares/) standard.
 
+[Review the CVE-2019-19326 public disclosure](https://www.silverstripe.org/download/security-releases/cve-2019-19326)
+
+## CVE-2020-9311 Malicious user profile information can cause login form XSS {#CVE-2020-9311}
+
+Malicious users with a valid Silverstripe login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs.
+
+[Review the CVE-2020-9311 public disclosure](https://www.silverstripe.org/download/security-releases/cve-2020-9311)
+
+
 <!--- Changes below this line will be automatically regenerated -->
 
 <!--- Changes above this line will be automatically regenerated -->