D3Lla

**Name of the Vulnerable Software and Affected Versions** total4 versions prior to 0.0.43 **Description** The issue allows for Arbitrary Code Execution via the `U.set()` and `U.get()` functions. **Recommendations** For versions prior to 0.0.43, update to version 0.0.43 or later to resolve the issue. As a temporary workaround, consider disabling the `U.set()` and `U.get()` functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** total.js versions prior to 3.4.9 **Description** The issue allows for Arbitrary Code Execution via the `U.set()` and `U.get()` functions. **Recommendations** For versions prior to 3.4.9, update to version 3.4.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** madge versions prior to 4.0.1 **Description** The issue affects the madge package, allowing an attacker to specify a custom Graphviz path via the `graphVizPath` option parameter. When the `.image()`, `.svg()`, or `.dot()` functions are called, the specified path is executed by the `childprocess.exec` function. This could potentially lead to arbitrary command execution. **Recommendations** For madge versions prior to 4.0.1, consider disabling the `childprocess.exec` function or restricting the use of the `graphVizPath` option parameter until a patch is available. Avoid using the `graphVizPath` option parameter in the affected API endpoints until the issue is resolved. Update to version 4.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** underscore versions 1.3.2 through 1.12.1 underscore versions 1.13.0-0 through 1.13.0-2 **Description** The issue is related to the template function in the underscore library, which is used for working with arrays in JavaScript. It is caused by incorrect code generation management. Exploitation of this issue may allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The vulnerability is specifically related to the template function when a variable property is passed as an argument without proper sanitization, leading to arbitrary code injection. **Recommendations** For underscore versions 1.3.2 through 1.12.1, update to a version outside of this range to mitigate the risk. For underscore versions 1.13.0-0 through 1.13.0-2, update to version 1.13.0-2 or later to resolve the issue. As a temporary workaround, consider disabling the template function until a patch is available. Restrict access to the template function to minimize the risk of exploitation, especially when variable properties are passed as arguments.

**Name of the Vulnerable Software and Affected Versions** is-user-valid (affected versions not specified) **Description** The issue concerns LDAP Injection, which can result in either authentication bypass or information exposure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: gsap versions prior to 3.6.0 Description: The issue is related to a prototype pollution vulnerability. It is reported to affect all versions of gsap before 3.6.0. Recommendations: For versions prior to 3.6.0, update to version 3.6.0 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: djv versions prior to 2.1.4 Description: The issue allows an attacker to run arbitrary JavaScript code on the victim machine by controlling the schema file. Recommendations: For versions prior to 2.1.4, update to version 2.1.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** node-notifier versions prior to 9.0.0 **Description** The issue allows an attacker to run arbitrary commands on Linux machines due to the `options` params not being sanitized when being passed an array. This could enable an attacker to execute malicious commands. **Recommendations** For versions prior to 9.0.0, update to version 9.0.0 or later to resolve the issue. As a temporary workaround, consider sanitizing the `options` params when passing arrays to prevent arbitrary command execution.