ghsa

A command injection vulnerability affects all versions of the deprecated package google-cloudstorage-commands.

All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. @ianwalter/merge is [deprecated](https://github.com/ianwalter/merge/blob/master/README.md) and the maintainer suggests using [@generates/merger](https://github.com/generates/generates/tree/main/packages/merger) instead.

The package ntesseract before 0.2.9 is vulnerable to Command Injection via lib/tesseract.js.

A command injection vulnerability affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js.

Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.

In Mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.

Microwerber prior to version 1.2.20 is vulnerable to stored Cross-site Scripting (XSS).

Microweber prior to 1.2.21 is vulnerable to reflected cross-site scripting (XSS).

An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) on the client side via a crafted URI. According to the maintainer, the bug only affects the client side of the request and cannot cause a denial of service on the server.

## Duplicate Advisory This advisory is a duplicate of GHSA-hrgx-p36p-89q4. This link is maintained to preserve external references. ## Original Description PrestaShop 1.6.0.10 through 1.7.x before 1.7.8.2 allows remote attackers to execute arbitrary code, aka a "previously unknown vulnerability chain" related to SQL injection, as exploited in the wild in July 2022.