GHSA-6gf2-ffq8-gcww: GHSL-2024-288: SickChill open redirect in login

GHSA-j3f9-p6hm-5w6q: Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale

GHSA-cjgq-5qmw-rcj6: keras Path Traversal vulnerability

GHSA-j4jw-m6xr-fv6c: Soft Serve vulnerable to path traversal attacks

GHSA-mjf9-4pcv-vfg7: Apache OpenMeetings vulnerable to Deserialization of Untrusted Data 

### Impact
Input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban.

### Workarounds
* Sanitizing user input, ensuring strings are valid for the purpose they are being used for.
* Encoding input with `encodeURIComponent` before providing it to the library.

### References
OceanicJS/Oceanic@8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe

**Oceanic allows unsanitized user input to lead to path traversal in URLs**

Moderate severity GitHub Reviewed Published May 14, 2024 in OceanicJS/Oceanic • Updated May 14, 2024

Headline

GHSA-5h5v-hw44-f6gg: Oceanic allows unsanitized user input to lead to path traversal in URLs

Impact

Workarounds

References

ghsa: Latest News