severity

The package grapesjs before 0.19.5 is vulnerable to Cross-site Scripting (XSS) due to an improper sanitization of the class name in Selector Manager.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-21802
https://github.com/artf/grapesjs/issues/44…

The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected cross-site scripting due to the lack of escaping of error messages which contained the parameters in verbatim.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-2514
…

Cross-site Scripting (XSS) – Reflected in GitHub repository beancount/fava prior to 1.22.2.
The query_string parameter of Fava is vulnerable to reflected cross-site scripting, for which a attacker can modify any information that the user is able to mod…

A command injection vulnerability affects all versions of package ffmpeg-sdk. The injection point is located in line 9 in index.js.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-28435
https://security.snyk.io/vuln/SNYK-JS-FFMPEGSDK-1050429
http…

This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.
Re…

A command injection vulnerability affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js
References

https://nvd.nist.gov/vuln/detail/CVE-2020-28438
https://security.snyk.io/vuln/SNYK-JS-DEFERRE…

All versions of package git-archive are vulnerable to Command Injection via the exports function.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-28422
https://security.snyk.io/vuln/SNYK-JS-GITARCHIVE-1050391
https://github.com/advisories/GHSA-vq…

A command injection vulnerability affects all versions of the deprecated package google-cloudstorage-commands.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-28436
https://github.com/samradical/google-cloudstorage-commands/blob/master/index.js%2…

This affects all versions of package node-import. The params argument of module function can be controlled by users without any sanitization. This is then provided to the “eval” function located in line 79 in the index file index.js.
References

https:…

A command injection vulnerability affects all versions of package xopen. The injection point is located in line 14 in index.js in the exported function xopen(filepath).
References

https://nvd.nist.gov/vuln/detail/CVE-2020-28447
https://security.snyk.i…