GitHub

Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the ‘Open in browser’ option in versions up to 1.6.2, google-it will unsafely concat the result’s link retrieved…

lifion-verify-dependencies through 1.1.0 is vulnerable to OS command injection via a crafted dependency name on the scanned project’s package.json file.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-34078
https://github.com/lifion/lifion-verify…

A Server-Side Template Injection (SSTI) was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-28246
https://github.com/formio/enterp…

OS Command injection vulnerability in Mintzo Docker-Tester through 1.2.1 allows attackers to execute arbitrary commands via shell metacharacters in the ‘ports’ entry of a crafted docker-compose.yml file.
References

https://nvd.nist.gov/vuln/detail/CVE…

Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-1982
https://mattermost.com/sec…

An argument injection vulnerability in Dragonfly Ruby Gem v1.3.0 allows attackers to read and write arbitrary files when the verify_url option is disabled. This vulnerability is exploited via a crafted URL.
References

https://nvd.nist.gov/vuln/detail/…

Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be go…

Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be go…

Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be go…

Impact
CSRF vulnerability allowing attackers to change the state of an order’s adjustments if they hold its number, and the execution happens on a store administrator’s computer.
Reproduction steps:

Take an order’s number.
Log in as an administrator.
…