GitHub

Summary
The vulnerability impacts only users of the IdTokenVerifier class. The verify method in IdTokenVerifier does not validate the signature before verifying the claims (e.g., iss, aud, etc.). Signature verification makes sure that the token’s paylo…

An arbitrary file deletion vulnerability in Gitea v1.16.3 allows attackers to cause a Denial of Service (DoS) via deleting the configuration file.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-27313
https://github.com/go-gitea/gitea/pull/19072
…

Huge memory consumption even when playing small files. This issue has been patched in 2.0.0. Please upgrade to version 2.0.0 or above.
References

https://github.com/PaulleDemon/tkVideoPlayer/security/advisories/GHSA-jmhj-vh4q-hhmq
https://github.com/P…

All versions of package Masuit.Tools.Core are vulnerable to Arbitrary Code Execution via the ReceiveVarData function in the SocketClient.cs component. The socket client in the package can pass in the payload via the user-controllable input after it has…

SCart e-commerce is a free open source for businesses, built on the Laravel framework. The package s-cart/s-cart before 6.9 and the package s-cart/core before 6.9 are vulnerable to cross-site Scripting (XSS) which can lead to cookie stealing of any vic…

CSV-Safe gem < 3.0.0 doesn’t filter out special characters which could trigger CSV Injection.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-28481
https://github.com/zvory/csv-safe/issues/7
https://github.com/zvory/csv-safe/pull/8
https://git…

The package git-pull-or-clone before 2.0.2 is vulnerable to Command Injection due to the use of the –upload-pack feature of git which is also supported for git clone. The source includes the use of the secure child process API spawn(). However, the ou…

All versions of package jailed are vulnerable to Sandbox Bypass via an exported alert() method which can access the main application. Exported methods are stored in the application.remote object.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-23…

Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, …

Dexie is a minimalistic wrapper for IndexedDB. The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the k…