Source
ghsa
SCart e-commerce is a free open source for businesses, built on the Laravel framework. The package s-cart/s-cart before 6.9 and the package s-cart/core before 6.9 are vulnerable to cross-site Scripting (XSS) which can lead to cookie stealing of any victim that visits the affected URL. An attacker can gain unauthorized access to that user's account through the stolen cookie.
All versions of package jailed are vulnerable to Sandbox Bypass via an exported alert() method which can access the main application. Exported methods are stored in the application.remote object.
The package git-pull-or-clone before 2.0.2 is vulnerable to Command Injection due to the use of the --upload-pack feature of git which is also supported for git clone. The source includes the use of the secure child process API spawn(). However, the outpath parameter passed to it may be a command-line argument to the git clone command and result in arbitrary command injection.
All versions of package Masuit.Tools.Core are vulnerable to Arbitrary Code Execution via the ReceiveVarData<T> function in the SocketClient.cs component. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for the BinaryFormatter.
CSV-Safe gem < 3.0.0 doesn't filter out special characters which could trigger CSV Injection.
Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.
libxmljs provides libxml bindings for v8 javascript engine. This affects all versions of package libxmljs. When invoking the libxmljs.parseXml function with a non-buffer argument the V8 code will attempt invoking the .toString method of the argument. If the argument's toString value is not a Function object V8 will crash.
All versions of `dset` prior to 3.1.2 are vulnerable to Prototype Pollution via `dset/merge` mode, as the `dset` function checks for prototype pollution by validating if the top-level path contains `__proto__`, `constructor` or `prototype`. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.
All versions of package materialize-css are vulnerable to Cross-site Scripting (XSS) due to improper escape of user input (such as <not-a-tag />) that is being parsed as HTML/JavaScript, and inserted into the Document Object Model (DOM). This vulnerability can be exploited when the user-input is provided to the autocomplete component.
The package `com.google.code.gson:gson` before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the `writeReplace()` method in internal classes, which may lead to denial of service attacks.