ghsa

### Impact OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for `MinimalForwarder` from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. ### Patches The problem has been patched in v4.9.3.

### Impact Critters version 0.0.17-0.0.19 have an issue when parsing the HTML which leads to a potential [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) bug. ### Patches The bug has been fixed in `v0.0.20`. ### Workarounds Upgrading Critters version to `>0.0.20` is the easiest fix. This is a non breaking version upgrade so we recommend all users to use `v0.0.20`.

XXE injection in `/rtc/post/ endpoint` in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.

A prototype pollution vulnerability in MrSwitch hello.js prior to version 1.18.8 allows remote attackers to execute arbitrary code via `hello.utils.extend` function.

Cross Site Scripting (XSS) vulnerability in `UserController.php` in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted `user_login`.

Cross Site Scripting (XSS) vulnerability in margox braft-editor version 2.3.8, allows remote attackers to execute arbitrary code via the embed media feature.

Cross Site Request Forgery (CSRF) vulnerability in `xxl-job-admin/user/add` in xuxueli xxl-job version 2.2.0 allows remote attackers to execute arbitrary code and esclate privileges via crafted .html file.

An issue was discovered in StaticPool in SUCHMOKUO node-worker-threads-pool version 1.4.3 that allows attackers to cause a denial of service.

SQL Injection vulnerability in file `Base_module_model.php` in Daylight Studio FUEL-CMS version 1.4.9, allows remote attackers to execute arbitrary code via the `col` parameter to function `list_items`.

An issue was discovered in `OFPBundleCtrlMsg` in `parser.py` in FaucetSDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).