GHSA-7m27-7ghc-44w9: Next.js Allows a Denial of Service (DoS) with Server Actions

GHSA-q9jv-mm3r-j47r: PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters

GHSA-hwcp-2h35-p66w: PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header

GHSA-wv23-996v-q229: PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties

GHSA-j2xg-cjcx-4677: PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file

### Impact
Utility functions related to object paths (`get`, `set` and `update`) did not block attempts to access or alter object prototypes.

### Patches
The `get`, `set` and `update` functions will throw a `TypeError` when a user attempts to access or alter inherited properties in versions >=2.2.1.

**Prototype pollution not blocked by object-path related utilities in hoolock**

Moderate severity GitHub Reviewed Published Jan 21, 2024 in elijahharry/hoolock • Updated Jan 23, 2024

Headline

GHSA-4c2g-hx49-7h25: Prototype pollution not blocked by object-path related utilities in hoolock

Impact

Patches

ghsa: Latest News