Niccolò Parlanti

**Name of the Vulnerable Software and Affected Versions** podinfo versions prior to 6.11.3 **Description** A reflected cross-site scripting issue exists in the '/echo' and '/api/echo' endpoints. The `echoHandler` function writes request body content directly to the response without setting explicit 'Content-Type' or 'X-Content-Type-Options' headers. This allows attackers to use cross-origin HTML pages with auto-submitting forms containing script payloads in the request body. Because of Go's content type detection, these responses are served as 'text/html', enabling the script to execute within the podinfo origin context when a victim visits the malicious page. **Recommendations** Update to a version later than 6.11.2. As a temporary workaround, restrict access to the '/echo' and '/api/echo' endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TeleJSON versions prior to 6.0.0 **Description** An issue exists in the `parse()` function involving unsafe deserialization. When reconstructing object prototypes, a custom reviver passes the value of the ` constructor-name ` property directly to `new Function()` without sanitization. This allows an attacker to execute arbitrary JavaScript by delivering a crafted JSON payload, for example, through `postMessage` in cross-frame communication contexts. **Recommendations** Update to version 6.0.0 or later.