0Xmpij

**Name of the Vulnerable Software and Affected Versions** ScanCode.io versions prior to 32.5.2 **Description** The issue arises from inadequate validation and sanitization of the `key` parameter in the `/license/` endpoint, specifically in the `license details view` function. This can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist. Attackers can exploit this vulnerability to inject malicious scripts into the response generated by the `license details view` function. When unsuspecting users visit the page, their browsers will execute the injected scripts, leading to unauthorized actions, session hijacking, or stealing sensitive information. **Recommendations** To resolve the issue, upgrade to release 32.5.2 or later. As a temporary workaround, consider restricting access to the `/license/` endpoint or disabling the `license details view` function until a patch is available. Avoid using malicious javascript in the `key` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ScanCode.io versions prior to 32.5.1 **Description** The issue is related to a command injection vulnerability in the docker fetch process. This vulnerability allows malicious commands to be appended to the `docker reference` parameter. The `docker reference` variable is passed to the `get docker image platform` function, which constructs a shell command with the passed `docker reference`. The `pipes.run command` then executes the shell command without any prior sanitization, making the function vulnerable to command injections. A malicious user who can create or add inputs to a project can inject commands, potentially causing damage to the server or container, even though the command injections are blind and do not provide direct feedback without logs. **Recommendations** For versions prior to 32.5.1, the `docker reference` input should be sanitized to avoid command injections. As a workaround, avoid creating commands with user-controlled input directly. Update to version 32.5.1 or later, which contains a patch for this issue.