Alessio-Romano

Name of the Vulnerable Software and Affected Versions: I, Librarian versions prior to 5.11.2 Description: The issue arises from a broken logic in handling Supplemental Files, allowing unsafe files with Javascript to be executed within the application context. An attacker can exploit this by uploading a malicious file, which will be executed when loaded in the browser. Recommendations: For versions prior to 5.11.2, update to version 5.11.2 to resolve the issue. As a temporary workaround, consider restricting the upload of supplementary files or disabling the viewing of such files in the browser until the update is applied.

**Name of the Vulnerable Software and Affected Versions** I, Librarian versions prior to 5.11.1 **Description** The issue arises from the lack of validation or sanitation of PDF notes displayed on the Item Summary page. An attacker can exploit this by inserting a malicious payload into the PDF notes, which will be executed when the page is loaded in the browser. **Recommendations** For versions prior to 5.11.1, update to version 5.11.1 to resolve the issue. As a temporary workaround, consider restricting access to the Item Summary page or disabling the display of PDF notes until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** Note Mark versions prior to 0.13.1 **Description** A stored cross-site scripting issue allows attackers to execute arbitrary web scripts via a crafted payload injected into the URL value of a link in the markdown content. **Recommendations** For versions prior to 0.13.1, update to version 0.13.1 to resolve the issue.