Keerok

**Name of the Vulnerable Software and Affected Versions** Simple-Plist version 1.3.0 **Description** The issue is related to a prototype pollution vulnerability. This vulnerability can be exploited via the `parse()` function. **Recommendations** For Simple-Plist version 1.3.0, consider avoiding the use of the `parse()` function until a patch is available. As a temporary workaround, restrict the input to the `parse()` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plist versions prior to 3.0.4 **Description** The issue allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution via a prototype pollution vulnerability in the `.parse()` function. **Recommendations** For versions prior to 3.0.4, update to version 3.0.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `.parse()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** matrix-react-sdk versions prior to 3.15.0 **Description** The user content sandbox in matrix-react-sdk can be abused to trick users into opening unexpected documents. This is achieved through several user interactions, allowing the content to be opened with a `blob` origin. However, it is noted that the content opened in this manner cannot access Matrix user data, so messages and secrets are not at risk. **Recommendations** For versions prior to 3.15.0, update to version 3.15.0 to resolve the issue. As a temporary workaround, consider restricting user interactions that could lead to the abuse of the user content sandbox until the update is applied.

**Name of the Vulnerable Software and Affected Versions** E-Sic version 1.0 **Description** The issue allows SQL injection via the `q` parameter to the "esiclivre/restrito/inc/lkpcep.php" endpoint, which is related to the search private area. **Recommendations** For E-Sic version 1.0, consider restricting access to the "esiclivre/restrito/inc/lkpcep.php" endpoint to minimize the risk of exploitation. Avoid using the `q` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.