ghsa

YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the `WorkFlow` module. A patch is available at commit cd82ecce44d83f1f6c10c7766bf36f3026de024a.

YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the `WidgetsManagement` module. A patch is available at commit b716ecea340783b842498425faa029800bd30420.

YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the `SlaPolicy` module. A patch is available at commit e55886781509fe39951fc7528347696474a17884.

Microweber versions 1.3.1 and prior are vulnerable to HTML injection that an attacker can use to redirect someone to a malicious site. A patch is available at commit 68f0721571653db865a5fa01c7986642c82e919c and expected to be part of version 1.3.2.

HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input. A patch is available on commit f20abf30a1d9c1426c5fb757ac63998dc5b92bfc and is anticipated to be part of version 1.3.2.

In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server. Users are advised to upgrade to Apache InLong 1.3.0 or newer.

A file upload vulnerability exists in the storage feature of pagekit 1.0.18, which allows an attacker to upload malicious files

WASM3 v0.5.0 was discovered to contain a segmentation fault via the component `op_Select_i32_srs` in `wasm3/source/m3_exec.h`.

A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the string variable in babel.js.

Prototype pollution vulnerability in stealjs steal via the alias variable in babel.js.