ghsa

FacturaScripts versions 2022.06 and prior are vulnerable to reflected cross-site scripting attacks. This vulnerability can use arbitrarily executed javascript code to steal users' cookies, perform HTTP request, get content of `same origin` page, etc. A fix is available on the `master` branch of the GitHub repository and anticipated to be part of version 2022.07.

Microweber is a drag and drop website builder and a powerful next generation CMS. Microweber versions 1.2.15 and prior are vulnerable to cross-site scripting. This could lead to injection of arbitrary JaveScript code, defacement of a page, or stealing cookies. A patch is available on the `master` branch of Microweber's GitHub repository.

Microweber prior to version 1.2.16 is vulnerable to cross-site scripting. This vulnerability allows an attacker to execute JavaScript as the victim.

The jquery.json-viewer library before version 1.5.0 for Node.js does not properly escape characters such as < in a JSON object, as demonstrated by a SCRIPT element.

Weak validation of the Apple certificate URL in the Apple Game Center authentication adapter allows to bypass authentication and makes the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it.

The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use built-in features and a specially crafted `kustomization.yaml` to expose sensitive data from the controller’s pod filesystem. In multi-tenancy deployments this can lead to privilege escalation if the controller's service account has elevated permissions. Within the affected versions, users with write access to a Flux source are able to use built-in features to expose sensitive data from the controller’s pod filesystem using a malicious `kustomization.yaml` file. This vulnerability was fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0 released on 2022-04-20. The changes introduce a new Kustomize file system implementation which ensures that all files being handled are contained within the Kustomization working directory, blocking references to any files that do not meet that requirement. Automated tooling (e.g. con...

Scout is a Variant Call Format (VCF) visualization interface. The Pypi package `scout-browser` is vulnerable to path traversal due to `send_file` call in versions prior to 4.52.

Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request. From this, the attacker can get the victim's cookie, base64 decode it, and obtain a cleartext password, leading to getting API documentation for further API attacks.

Huge memory consumption even when playing small files. This issue has been patched in 2.0.0. Please upgrade to version 2.0.0 or above.

Dexie is a minimalistic wrapper for IndexedDB. The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. **Note:** This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.