ghsa

A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later.

A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page.

Raneto v0.17.0 employs weak password complexity requirements, allowing attackers to crack user passwords via brute-force attacks. Version 0.17.1 contains security mitigations for this and other vulnerabilities.

A command injection vulnerability affects all versions of package npos-tesseract. The injection point is located in line 55 in lib/ocr.js.

A command injection vulnerability affects the package image-tiler before version 2.0.2.

A command injection vulnerability affects all versions of package heroku-env. The injection point is located in lib/get.js which is required by index.js.

A command injection vulnerability affects all versions of package gitblame. The injection point is located in line 15 in lib/gitblame.js.

The package get-npm-package-version before 1.0.7 is vulnerable to Command Injection via the `main` function in index.js.

A command injection vulnerability affects all versions of the package node-latex-pdf.

A command injection vulnerability affects all versions of the package curljs.