Eric Cornelissen

**Name of the Vulnerable Software and Affected Versions** spin.js versions prior to 3.0.0 **Description** The software is susceptible to Cross-site Scripting (XSS) through the `spin()` function. This allows an attacker to create multiple alerts for each 'target' element. Exploitation requires prototype pollution, achieved by setting an arbitrary key-value pair on `Object.prototype` via a crafted URL, enabling the execution of arbitrary JavaScript in the user's browser context. **Recommendations** Update to spin.js version 3.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** Shescape versions prior to 2.1.9 **Description** Shescape is a JavaScript shell escape library. A flaw exists where an attacker may be able to bypass escaping for the shell being used, potentially leading to exposure of sensitive information. This issue impacts users who configure the `shell` option to point to a file on disk that is a symbolic link to another symbolic link. The outcome of a successful exploit depends on the specific shell in use and how Shescape identifies it. The provided proof of concept demonstrates the bypass using a crafted payload with the `userInput` variable and the `shescape.escape()` function. The example uses the `/api/v1/exec` endpoint to execute commands. **Recommendations** Versions prior to 2.1.9 should be upgraded to version 2.1.9 or later. If upgrading is not possible, avoid using a shell or ensure the configured shell path is not a link to a link.