Maple3142

**Name of the Vulnerable Software and Affected Versions** TinyMCE versions 6.8.0 through 7.0.x **Description** An XSS (Cross-Site Scripting) issue exists due to improper SVG namespace scope handling within the sanitizer. An attacker can use a crafted payload with nested elements to bypass attribute sanitization, allowing the execution of arbitrary JavaScript. **Recommendations** Update to version 7.1.0.

**Name of the Vulnerable Software and Affected Versions** Node.js (affected versions not specified) **Description** A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the `fetch()` function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the `fetch()` function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into `fetch()` can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Livebook versions prior to 0.8.2 Livebook versions prior to 0.9.3 **Description** The issue allows arbitrary code execution on a victim's machine when a `livebook://` link is opened from a browser, triggering Livebook Desktop to execute the code. This can happen when a user expects Livebook to be opened from a browser. **Recommendations** For versions prior to 0.8.2, update to version 0.8.2 or later. For versions prior to 0.9.3, update to version 0.9.3 or later. As a temporary workaround, consider avoiding the use of `livebook://` links from browsers until the issue is resolved.