Mattaustin

**Name of the Vulnerable Software and Affected Versions** Node.js versions 16.x through 20.x **Description** The issue is related to the `Module. load()` function, which can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This affects users using the experimental policy mechanism in all active release lines. The policy is an experimental feature of Node.js. **Recommendations** For Node.js versions 16.x through 20.x, update to a version that includes the fix for the issue, as the policy mechanism can be bypassed via `Module. load()`. At the moment, there is no information about a newer version that contains a fix for this vulnerability, however, it is mentioned that the issue is fixed in an unofficial release.

**Name of the Vulnerable Software and Affected Versions** Node.js version 20 **Description** A vulnerability in Node.js allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers can modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl. This vulnerability exclusively affects Node.js users employing the permission model mechanism, which is an experimental feature of Node.js. **Recommendations** For Node.js version 20, upgrade to version 20.3.1 to resolve the issue. As a temporary workaround, consider disabling the inspector module until a patch is available. Restrict access to the Worker class to minimize the risk of exploitation. Avoid using the `kIsInternal` Symbol in the Worker constructor until the issue is resolved.

**Nome do software vulnerável e versões afetadas** Versões do módulo htmlformentry do OpenMRS anteriores à 3.11.0 **Descrição** Foi detectada uma vulnerabilidade de execução remota de código, permitindo que um arquivo malicioso da linguagem de modelos Velocity fosse gravado em um diretório por meio de traversal de caminho. Esse arquivo poderia então ser acessado e executado. **Recomendações** Para versões anteriores à 3.11.0, atualize para a versão 3.11.0 ou posterior para resolver a vulnerabilidade. Como solução temporária, considere restringir o acesso aos arquivos da linguagem de modelo Velocity para minimizar o risco de exploração.