GitHub

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitr…

The package czproject/git-php before 4.0.3 are vulnerable to Command Injection via git argument injection. When calling the isRemoteUrlReadable($url, array $refs = NULL) function, both the url and refs parameters are passed to the git ls-remote subcomm…

Snipe-IT prior to version 5.4.3 is vulnerable to stored cross-site scripting because the input to the checked_out_to parameter is not escaped. The vulnerability is capable of stealing a user’s cookie.
References

https://nvd.nist.gov/vuln/detail/CVE-20…

Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*.
References

https://nvd.nist.gov/vuln/detail/C…

OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix fo…

OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-2…

Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue al…

service_windows.go in the kardianos service package for Go omits quoting that is sometimes needed for execution of a Windows service executable from the intended directory.
The validity of this vulnerability has been questioned and the reporter has req…

Pimcore is an open source data & experience management platform. A SQL injection was discovered in GridHelperService.php in GitHub repository pimcore/pimcore prior to 10.3.6.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-1429
https://github…

Microweber prior to 1.2.15 is vulnerable to reflected cross-site scripting on demo.microweber.org/demo/module/. This allows the execution of arbitrary JavaScript as the attacked user.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-1439
https://g…