ghsa

Cross-site Scripting (XSS) - DOM in GitHub repository answerdev/answer prior to 1.0.4.

Improper Access Control in GitHub repository answerdev/answer prior to 1.0.4.

Cross-site Scripting (XSS) - Generic in GitHub repository answerdev/answer prior to 1.0.4.

Race Condition in Switch in GitHub repository answerdev/answer prior to 1.0.4.

Unbounded recursion in JSON parsing allows malicious JSON input to cause excessive memory consumption or panics.

Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.5.4.

Cross-site Scripting (XSS) - Stored in GitHub repository wallabag/wallabag prior to 2.5.4.

### Vulnerability type Data Validation ### Detail The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)

dhowden tag before 0.0.0-20201120070457-d52dcb253c63 allows `panic: runtime error: index out of range` via readPICFrame.

The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.