Jayl1N

**Name of the Vulnerable Software and Affected Versions** dhowden tag versions before 0.0.0-20201120070457-d52dcb253c63 dhowden tag versions before 2020-11-19 **Description** The issue is due to improper bounds checking in a number of methods, which can trigger a panic via `readPICFrame`, `readAPICFrame`, or `readAtomData` due to attempted out-of-bounds reads. If the package is used to parse user-supplied input, this may be used as a vector for a denial of service attack. **Recommendations** For dhowden tag versions before 0.0.0-20201120070457-d52dcb253c63, update to a version after 0.0.0-20201120070457-d52dcb253c63 to resolve the issue. For dhowden tag versions before 2020-11-19, update to a version after 2020-11-19 to resolve the issue. As a temporary workaround, consider restricting the use of methods that can trigger a panic due to attempted out-of-bounds reads until a patch is available. Avoid using the package to parse user-supplied input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** dhowden tag versions prior to 0.0.0-20201120070457-d52dcb253c63 **Description** The issue is due to improper bounds checking in a number of methods, which can trigger a panic via `readAPICFrame` or `readAtomData` due to attempted out-of-bounds reads. If the package is used to parse user-supplied input, this may be used as a vector for a denial of service attack. **Recommendations** For versions prior to 0.0.0-20201120070457-d52dcb253c63, consider updating to a version that includes the fix for this issue. As a temporary workaround, restrict the use of methods that trigger the panic, such as `readAPICFrame` and `readAtomData`, when parsing user-supplied input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** dhowden tag versions prior to 0.0.0-20201120070457-d52dcb253c63 dhowden tag versions prior to 2020-11-19 **Description** The issue is due to improper bounds checking in several methods, which can trigger a panic via `readAPICFrame`, `readAtomData`, or `readTextWithDescrFrame` due to attempted out-of-bounds reads. If the package is used to parse user-supplied input, this may be used as a vector for a denial of service attack. **Recommendations** For dhowden tag versions prior to 0.0.0-20201120070457-d52dcb253c63, update to version 0.0.0-20201120070457-d52dcb253c63 or later. For dhowden tag versions prior to 2020-11-19, update to a version released on or after 2020-11-19. As a temporary workaround, consider restricting the use of methods `readAPICFrame`, `readAtomData`, and `readTextWithDescrFrame` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** dhowden tag versions prior to 0.0.0-20201120070457-d52dcb253c63 **Description** The issue is due to improper bounds checking in several methods, which can trigger a panic via `readAtomData` or `readAPICFrame` due to attempted out-of-bounds reads. If the package is used to parse user-supplied input, this may be used as a vector for a denial of service attack. **Recommendations** For versions prior to 0.0.0-20201120070457-d52dcb253c63, consider updating to a version that includes proper bounds checking to prevent out-of-bounds reads. As a temporary workaround, consider restricting the use of methods that can trigger a panic, such as `readAtomData` and `readAPICFrame`, until a patch is available. Avoid using the package to parse user-supplied input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JEESNS version 1.3 **Description** An issue was discovered in the XSS filter of JEESNS, where the filter could be bypassed. This is due to an incomplete fix for a previous issue. The bypass can be demonstrated using a substring such as `<svg/onLoad=confirm`. **Recommendations** For JEESNS version 1.3, as a temporary workaround, consider disabling the `XssHttpServletRequestWrapper.java` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.