Divyesh Prajapati

**Nome do software vulnerável e versões afetadas** Versões do algoliasearch-helper anteriores à 3.6.2 **Descrição** O problema decorre do uso da função `merge` em src/SearchParameters/index.js, especificamente na função `SearchParameters. parseNumbers`, sem proteção contra propriedades de protótipo, levando à contaminação de protótipos. Isso só pode ser explorado se a implementação permitir que os usuários definam padrões de pesquisa arbitrários. **Recomendações** Para versões anteriores à 3.6.2, atualize para a versão 3.6.2 ou posterior para resolver o problema. Como solução temporária, considere restringir a entrada do usuário para impedir padrões de pesquisa arbitrários.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.5.3 **Description** A cross-site scripting (XSS) issue exists due to insufficient input validation in the `column title` function. This allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name. **Recommendations** For versions prior to 4.5.3, update to version 4.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `wp-admin/includes/class-wp-media-list-table.php` file until a patch is applied. Avoid using crafted attachment names in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.5.3 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is due to a vulnerability in the `wp get attachment link` function. The estimated number of potentially affected devices worldwide is not specified. **Recommendations** For versions prior to 4.5.3, update to version 4.5.3 or later to resolve the issue. As a temporary workaround, consider restricting the ability to upload attachments with crafted names until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.5.3 **Description** The issue allows remote attackers to bypass intended redirection restrictions. **Recommendations** For versions prior to 4.5.3, update to version 4.5.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.5.3 **Description** The issue allows remote attackers to bypass intended access restrictions and remove a category attribute from a post. **Recommendations** For versions prior to 4.5.3, update to version 4.5.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.5.3 **Description** The issue allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie. **Recommendations** For versions prior to 4.5.3, update to version 4.5.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.5.3 **Description** The issue allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to `wp-admin/includes/ajax-actions.php` and `wp-admin/revision.php`. **Recommendations** For versions prior to 4.5.3, update to version 4.5.3 or later to resolve the issue.