Et43

**Name of the Vulnerable Software and Affected Versions** alf.io versions prior to 2.0-M5-2606 **Description** The extension sandbox injects a fully-functional HTTP client (`simpleHttpClient`) into every extension script's scope. The `postFileAndSaveResponse()` method accepts an arbitrary filesystem path via the `file` parameter and reads the file contents using `new FileInputStream(file)` without path validation, directory restriction, or an allowlist. This allows a malicious extension script to read any file accessible to the JVM process user and exfiltrate the data to an external server via HTTP POST. **Recommendations** Update to version 2.0-M5-2606.

**Name of the Vulnerable Software and Affected Versions** Wiki.js versions prior to 2.5.303 **Description** A client-side template injection issue was discovered in Wiki.js, a wiki app built on Node.js. This issue could allow an attacker to inject malicious JavaScript into the content section of pages, which would execute when a victim loads the page containing the payload. The injection is possible through the use of an invalid HTML tag with a template injection payload on the next line. **Recommendations** For versions prior to 2.5.303, update to version 2.5.303 to resolve the issue. As a temporary workaround, consider restricting the ability to inject custom HTML tags into the content section of pages until the update can be applied.