Source
ghsa
Properties-Reader prior to version 2.2.0 is vulnerable to prototype pollution. Version 2.2.0 contains a patch for this issue.
markdown-it-decorate adds attributes, IDs and classes to Markdown, and the most recent version 1.2.2 was published in 2017. All versions are currently vulnerable to cross-site scripting (XSS) and there is no fixed version at this time.
Dompdf prior to version 2.0.0 is vulnerable to a chroot check bypass, which could cause disclosure of png and jpeg files.
Versions of thenify prior to 3.3.1 made use of unsafe calls to `eval`. Untrusted user input could thus lead to arbitrary code execution on the host. The patch in version 3.3.1 removes calls to `eval`.
### Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code. For example, starting with the following initial secure HTML: ```html <label> <input id="test-input"> <img src=x onerror="alert(1)"> </label> ``` and calling: ```js $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); ``` will turn the initial HTML into: ```html <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> ``` and the alert will get executed. ### Patches The bug has been patched in jQuery UI 1.13.2. ### Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the `label` in a `span`...
glob-parent before 6.0.1 is vulnerable to Regular Expression Denial of Service (ReDoS).
This affects all versions of package grunt-util-property. The function call could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload.
The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles
Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.
WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.