Source
ghsa
### Impact Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a `Laminas\Diactoros\Uri` instance associated with the incoming server request modified to reflect values from `X-Forwarded-*` headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning. ### Patches Any version after 2.11.0. Starting in laminas/laminas-diactoros 2.11.1, we have added `Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface`, which defines the single method `__invoke(Psr\Http\Message\ServerRequestInterface $request): Psr\Http\Message\ServerRequestInterface`. Filters implementing this interface allow modifying and returning a generated `ServerRequest`. The primary use case of the interface is to allow modifying the generated URI based on the presence of headers such as `X-Forwarded-Host`. When operating behind a revers...
The package grapesjs before 0.19.5 is vulnerable to Cross-site Scripting (XSS) due to an improper sanitization of the class name in Selector Manager.
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected cross-site scripting due to the lack of escaping of error messages which contained the parameters in verbatim.
Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2. The `query_string` parameter of Fava is vulnerable to reflected cross-site scripting, for which a attacker can modify any information that the user is able to modify. This issue is fixed in version 1.22.2.
This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.
All versions of package git-archive are vulnerable to Command Injection via the exports function.
A command injection vulnerability affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js
A command injection vulnerability affects all versions of the deprecated package google-cloudstorage-commands.
All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. @ianwalter/merge is [deprecated](https://github.com/ianwalter/merge/blob/master/README.md) and the maintainer suggests using [@generates/merger](https://github.com/generates/generates/tree/main/packages/merger) instead.
The package ntesseract before 0.2.9 is vulnerable to Command Injection via lib/tesseract.js.