Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.9.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2064
https://github.com/nocodb/nocodb/commit/c9b5111b25aea2781e19395a8e9107ddbd235a2b
https://huntr.dev/bounties/3…
A cross-site scripting (XSS) vulnerability in the SEOmatic plugin 3.4.10 for Craft CMS 3 allows remote attackers to inject arbitrary web script via a GET to /index.php?action=seomatic/file/seo-file-link with url parameter containing the base64 encoded …
In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-41749
https://githu…
Deno <=1.14.0 file sandbox does not handle symbolic links correctly. When running Deno with specific write access, the Deno.symlink method can be used to gain access to any directory.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-41641
https…
Nuitka 0.8.4 and prior is vulnerable to command injection. A patch is available and anticipated to be part of the 0.9 release.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2054
https://github.com/nuitka/nuitka/commit/09647745d7cbb6ff32f9fa948f…
All versions of package git-promise are vulnerable to Command Injection due to an inappropriate fix of a prior vulnerability in this package. Note: Please note that the vulnerability will not be fixed. The README file was updated with a warning regardi…
The package convert-svg-core before 0.6.4 are vulnerable to Directory Traversal due to improper sanitization of SVG tags. Exploiting this vulnerability is possible by using a specially crafted SVG file.
References
https://nvd.nist.gov/vuln/detail/CVE-…
This affects all versions of package posix. When invoking the toString method, it will fallback to 0x0 value, as the value of toString is not invokable (not a function), and then it will crash with type-check.
References
https://nvd.nist.gov/vuln/deta…
The package convert-svg-core before 0.6.3 are vulnerable to Arbitrary Code Injection when using a specially crafted SVG file. An attacker can read arbitrary files from the file system and then show the file content as a converted PNG file.
References
…
The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-25851
https://github.com/jpeg-js/j…
