Kuycheu Kung

**Name of the Vulnerable Software and Affected Versions** simple-git versions prior to 3.36.0 **Description** A Remote Code Execution (RCE) issue exists in the simple-git Node.js library due to improper code generation management and an incomplete fix for a previous flaw. The issue occurs because the `--config` option was not adequately blocked, while the `-c` option was. If untrusted input reaches the `options` argument, a remote attacker can inject arbitrary git configuration settings, such as enabling `protocol.ext.allow=always` and using an `ext::` clone source, to execute arbitrary code on the host machine. This exploitation requires no authentication or user interaction. **Recommendations** Update to version 3.36.0 or later.

**Name of the Vulnerable Software and Affected Versions** FormCms version 0.5.5 **Description** FormCms version 0.5.5 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload feature. Authenticated users can upload `.html` files containing malicious JavaScript, which are accessible via a public URL. When a privileged user accesses the file, the script executes in their browser context. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.