GitHub

An issue was discovered in the scratchpad crate before 1.3.1 for Rust. The move_elements function can have a double-free upon a panic in a user-provided f function.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-28031
https://rustsec.org/advisor…

Visual Studio Code npm-script Extension Remote Code Execution Vulnerability
References

https://nvd.nist.gov/vuln/detail/CVE-2021-26700
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26700
https://github.com/advisories/GHSA…

JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-20066
https://www.tenable.com/securit…

An issue was discovered in the qwutils crate before 0.3.1 for Rust. When a Clone panic occurs, insert_slice_clone can perform a double drop.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-26954
https://rustsec.org/advisories/RUSTSEC-2021-0018.ht…

Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authenticati…

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
References

https://nvd.nist.gov/vuln/detail/C…

An issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-25900
https://rustsec.org/advisories/RUSTSE…

JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).
References

https://nvd.nist.gov/vuln/detail/CVE-2020-36191
https://github.com/jupyte…

Prototype pollution vulnerability in ‘@strikeentco/set’ version 1.0.0 allows attacker to cause a denial of service and may lead to remote code execution.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-28267
https://github.com/strikeentco/set/com…

A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.
References

https://nvd…