Haojun Hou

**Name of the Vulnerable Software and Affected Versions** Poppler version 0.54.0 **Description** A memory leak issue was discovered in the `Object::initArray` function in Object.cc, which can be exploited by attackers to cause a denial of service using a crafted file. **Recommendations** For Poppler version 0.54.0, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS versions prior to 4.2.15 **Description** The issue is caused by insufficient filtration of user-supplied data in the `id` HTTP GET parameter passed to the "core/admin/adjax/dashboard/check-module-integrity.php" API endpoint. This allows an attacker to execute arbitrary HTML and script code in a browser in the context of the vulnerable website. **Recommendations** For BigTree CMS versions prior to 4.2.15, update to version 4.2.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the "core/admin/adjax/dashboard/check-module-integrity.php" API endpoint to minimize the risk of exploitation. Avoid using the `id` parameter in this endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Fastspot BigTree bigtree-form-builder versions prior to 1.2 **Description** The issue is caused by insufficient filtration of user-supplied data in multiple HTTP POST parameters passed to a "site/index.php/../../extensions/com.fastspot.form-builder/ajax/redraw-field.php" API endpoint. This allows an attacker to execute arbitrary HTML and script code in a browser in the context of the vulnerable website. **Recommendations** For versions prior to 1.2, update to version 1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `redraw-field.php` module to minimize the risk of exploitation. Avoid using user-supplied data in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 54.0.2840.59 Opera versions prior to 54.0.2840.59 **Description** The issue allows a remote attacker to bypass cross-origin restrictions via crafted HTML pages due to a missed CORS check on redirect in TextTrackLoader. **Recommendations** For Google Chrome versions prior to 54.0.2840.59, update to version 54.0.2840.59 or later. For Opera versions prior to 54.0.2840.59, update to version 54.0.2840.59 or later.