Eslerm

**Name of the Vulnerable Software and Affected Versions** DOMPurify versions prior to 2.5.4 DOMPurify versions prior to 3.1.3 **Description** The issue is related to the DOMPurify library, which is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML, and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. Additionally, it was possible to use Prototype Pollution to weaken the depth check, rendering DOMPurify unable to avoid cross-site scripting (XSS) attacks. **Recommendations** For DOMPurify versions prior to 2.5.4, upgrade to version 2.5.4 or later. For DOMPurify versions prior to 3.1.3, upgrade to version 3.1.3 or later. As a temporary workaround, consider restricting the use of the DOMPurify library until a patch is available.

**Name of the Vulnerable Software and Affected Versions** LXD (affected versions not specified) Ubuntu Server (affected versions not specified) **Description** A feature in LXD affects the default configuration of Ubuntu Server, allowing privileged users in the lxd group to escalate their privilege to root without requiring a sudo password. **Recommendations** For LXD, consider restricting access to the lxd group to minimize the risk of exploitation. For Ubuntu Server, review and modify the default configuration to require a sudo password for privilege escalation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DOMPurify versions prior to 2.4.2 **Description** The issue is related to an uncontrolled modification of object prototype attributes in the DOMPurify JavaScript library, which is used for secure cleaning and protection of HTML code. This can allow a remote attacker to impact the confidentiality and integrity of protected information. The library is vulnerable to prototype pollution, which can lead to improper object modification and potential remote code execution. **Recommendations** For DOMPurify versions prior to 2.4.2, update to version 2.4.2 or later to fix the vulnerability. As a temporary workaround, consider restricting the use of the ` proto ` property and the `hasOwnField` function to minimize the risk of exploitation. Avoid using the `ALLOWED ATTR` values in the affected HTML sanitization process until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PHP-Memcached versions 2.2.0 and below **Description** The issue is related to an improper NULL termination, which allows attackers to execute CLRF injection. This could potentially lead to security breaches. Note that there is a dispute regarding the direct impact on PHP-Memcached. **Recommendations** For PHP-Memcached versions 2.2.0 and below, consider updating to a version that fixes the improper NULL termination issue to prevent CLRF injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.