Nekzor

**Name of the Vulnerable Software and Affected Versions** Deno versions prior to 1.41.1 **Description** The issue concerns several cross-site scripting vulnerabilities in the `deno doc` crate, leading to Self-XSS when using `deno doc --html`. Specifically, there are two vulnerabilities: 1. The generated `search index.js` file uses `innerHTML` on unsanitized HTML input, and 2. the `deno doc` component does not sanitize property names, method names, and enum names. The first vulnerability likely has minimal impact since `deno doc --html` is typically used locally with personal packages. **Recommendations** For Deno versions prior to 1.41.1, upgrade to a version newer than 1.41.1 to mitigate the risk. As a temporary workaround, consider restricting the use of the `deno doc --html` command until a patch is applied. Avoid using the `deno doc` component with unsanitized input until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: oak versions prior to 17.1.3 Description: The issue allows an attacker to bypass the default restriction on transferring hidden files using the `Context.send` API by encoding `/` as its URL encoded form `%2F`. This can potentially lead to reading sensitive user data or gaining access to server secrets. The `isHidden` function is flawed, as it only checks if the first subpath is hidden, allowing secrets to be read from `subdir/.env`. The vulnerability can be exploited by using API endpoints such as `/poc%2f../.env` or `/poc%2f../.git/config` to access sensitive files. Recommendations: For versions prior to 17.1.3, update to version 17.1.3 to fix the issue. As a temporary workaround, consider restricting access to the `Context.send` API or disabling the `isHidden` function until a patch is available. Avoid using the `decodeComponent` function to decode URLs, as it may allow an attacker to bypass the restriction on transferring hidden files.