Kc1Zs4

**Name of the Vulnerable Software and Affected Versions** idna (affected versions not specified) **Description** The `ToASCII()` and `ToUnicode()` functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For instance, `ToUnicode("xn--example-.com")` returns "example.com" instead of an error. This behavior can lead to privilege escalation in programs using the idna package; a program performing privilege checks on an ASCII hostname might reject "example.com" but permit "xn--example-.com", and subsequently granting access to "example.com" after converting the hostname to Unicode. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Grav versions prior to 2.0.0-beta.2 **Description** A stored Cross-Site Scripting (XSS) issue allows publisher-level accounts to execute arbitrary JavaScript. The problem is caused by a blacklist bypass in the `detectXss()` function, which fails to properly identify HTML event attributes (such as `on*` events) when they are constructed without quotation marks. This allows an attacker to bypass the filter and execute malicious scripts in the browser of any user, including administrators, who views the compromised content, potentially leading to session hijacking or unauthorized actions. **Recommendations** Update to version 2.0.0-beta.2. As a temporary workaround, restrict the permissions of publisher-level accounts to minimize the risk of malicious content injection.

**Name of the Vulnerable Software and Affected Versions** MimeKit versions prior to 4.15.1 MailKit versions prior to 4.15.1 **Description** A CRLF injection flaw exists in MimeKit and MailKit when handling SMTP envelope addresses. Specifically, when the local-part of an address is a quoted-string, the software fails to properly prevent the inclusion of carriage return and line feed characters (`r `). This non-compliance with RFC 5321 allows an attacker to inject SMTP commands, such as `RCPT TO`, `DATA`, and `RSET`, or potentially inject mail headers, depending on how the application utilizes MailKit/MimeKit. The issue arises when an attacker can control a `MailboxAddress` value that is subsequently serialized into an SMTP session. The vulnerability is triggered because RFC 5321 prohibits the use of CR and LF characters within quoted-strings. The affected components are MimeKit 4.15.0 and MailKit 4.15.0, and any application that accepts untrusted input for sender/recipient addresses, constructs `MailboxAddress` objects from that input, and sends messages via SMTP may be impacted. Exploitation can lead to mail redirection, data exfiltration, corruption of the SMTP transaction state, and potentially header injection or logging evasion. **Recommendations** Versions prior to 4.15.1 should be updated to version 4.15.1 or later. Reject carriage return and line feed characters (`r` and ` `) in the local-part when parsing or constructing mailbox addresses used for SMTP envelopes. Ensure quoted local-part parsing aligns with RFC 5321’s `qtextSMTP` and `quoted-pairSMTP` ranges, disallowing control characters.