ghsa

In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.

In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.

In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.

Cross-site Scripting (XSS) - Stored in GitHub repository uvdesk/community-skeleton prior to 1.1.0.

jeecg-boot v3.4.4 was discovered to contain an authenticated SQL injection vulnerability via the building block report component.

Versions of the package @nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe. Exploiting this vulnerability is possible when the client cancels a request while it is streaming a StreamableFile, the stream wrapped by the StreamableFile will be kept open.

All versions of the package sketchsvg are vulnerable to Arbitrary Code Injection when invoking `shell.exec` without sanitization nor parametrization while concatenating the current directory as part of the command string.

node-static and the fork @nubosoftware/node-static are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith() method in the servePath function.

All versions of the package dot-lens are vulnerable to Prototype Pollution via the `set()` function in `index.js` file.

A vulnerability, which was classified as critical, has been found in json-logic-js 2.0.0. Affected by this issue is some unknown functionality of the file logic.js. The manipulation leads to command injection. Upgrading to version 2.0.1 is able to address this issue. The name of the patch is c1dd82f5b15d8a553bb7a0cfa841ab8a11a9c227. It is recommended to upgrade the affected component. VDB-222266 is the identifier assigned to this vulnerability.