GHSA-7pq5-qcp6-mcww: CKAN has an XSS vector in user uploaded images in group/org and user profiles

GHSA-w3pj-wh35-fq8w: GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions

GHSA-wc9m-r3v6-9p5h: Sparkle Signing Checks Bypass

GHSA-w7wm-2425-7p2h: MarbleRun unauthenticated recovery allows Coordinator impersonation

GHSA-mx2j-7cmv-353c: wasmvm: Malicious smart contract can slow down block production

### Impact

The default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module.

### Patches

Update to v2.1.0

### Workarounds

Use  the `baseDir` option

### References

[HackerOne report
](https://hackerone.com/reports/2312369).

**Default swagger-ui configuration exposes all files in the module**

Moderate severity GitHub Reviewed Published Jan 15, 2024 in fastify/fastify-swagger-ui • Updated Jan 16, 2024

Headline

GHSA-62jr-84gf-wmg4: Default swagger-ui configuration exposes all files in the module

Impact

Patches

Workarounds

References

ghsa: Latest News