Heiko Webers

**Name of the Vulnerable Software and Affected Versions** Fetlife rollout-ui version 0.5 **Description** The issue allows attackers to execute arbitrary code via a crafted URL to the delete a feature functionality. This is a Cross Site Scripting (XSS) vulnerability. **Recommendations** For Fetlife rollout-ui version 0.5, consider disabling the delete a feature functionality until a patch is available. Restrict access to the crafted URL to minimize the risk of exploitation. Avoid using the delete a feature functionality in the affected version until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PgHero gem versions through 2.6.0 **Description** The issue allows CSRF attacks. Normally, PgHero uses the `protect from forgery` method from Rails to prevent CSRF, but this defaults to `:null session`, which has no effect on non-session based authentication methods. Thus, the gem is vulnerable with non-session based authentication methods like basic authentication. **Recommendations** For PgHero gem versions through 2.6.0, consider disabling non-session based authentication methods like basic authentication until a patch is available. Restrict access to vulnerable endpoints to minimize the risk of exploitation.