#js

Ywoa before v6.1 was discovered to contain a SQL injection vulnerability via /oa/setup/checkPool?database.

FLIR AX8 versions 1.46.16 and below unauthenticated remote OS command injection exploit.

Red Hat Security Advisory 2022-6051-01 - An update is now available for RHOL-5.5-RHEL-8. Issues addressed include denial of service, man-in-the-middle, and out of bounds read vulnerabilities.

Red Hat Security Advisory 2022-6113-01 - Red Hat Application Interconnect 1.0 introduces a service network, linking TCP and HTTP services across the hybrid cloud. A service network enables communication between services running in different network locations or sites. It allows geographically distributed services to connect as if they were all running in the same site. This is an update to the rpms for Red Hat Application Interconnect 1.0 to fix some security issues in the golang compiler.

A Java Deserialization vulnerability in the Fishbowl Server in Fishbowl Inventory before 2022.4.1 allows remote attackers to execute arbitrary code via a crafted XML payload.

Insecure Storage of Sensitive Information in GitHub repository chatwoot/chatwoot prior to 2.6.0.

Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim's service.

### Impact `pocketmine\entity\Skin` doesn't correctly handle errors produced by `adhocore/json-comment`, which throws `RuntimeException` rather than returning `false` as PocketMine-MP expects. This leads to a server crash if the skin geometry data is invalid for some reason (e.g. a syntax error). ### Patches c9626c610b8f6810c8c987559c9197b2a291f0bb ### Workarounds A plugin could handle `LoginPacket` and `PlayerSkinPacket` to verify the skin geometry data can be parsed correctly, so that the error condition in the core code is never reached. ### For more information If you have any questions or comments about this advisory: * Email us at [security@pmmp.io](mailto:security@example.com)

### Impact Our library allows strings to be parsed as functions and stored as a specialized component, [`JsonFunctionValue`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/components/JsonFunctionValue.js). To do this, Javascript's [`eval`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) function was used to execute strings that begin with "function" as Javascript. This was an oversight that unfortunately allows arbitrary code to be executed if it exists as a value within the JSON structure being displayed. Given that this component may often be used to display data from arbitrary, untrusted sources, this is extremely dangerous. One important note is that users who have defined a custom [`onSubmitValueParser`](https://github.com/oxyno-zeta/react-editable-json-tree/tree/09a0ca97835b0834ad054563e2fddc6f22bc5d8c#onsubmitvalueparser) callback prop on the [`JsonTree`](https://github.com/oxyno-ze...

The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).