Ochk0

Name of the Vulnerable Software and Affected Versions Vite versions 6.0.0 through 6.4.1, 7.3.2, and 8.0.5 Description The Vite dev server improperly handles .map requests for optimized dependencies. It resolves file paths and calls readFile without restricting '../' segments in the URL, potentially allowing bypass of the server.fs.strict allow list and retrieval of .map files located outside the project root if they are valid source map JSON. This could expose sensitive content if the server is exposed to the network and predictable paths to .map files exist. Recommendations Update to Vite version 6.4.2 or later, 7.3.2, or 8.0.5.

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.2.3 Description OpenProject, a web-based project management software, has an issue where user input is directly embedded into SQL WHERE clauses without proper parameterization. This occurs due to the =n operator in modules/reporting/lib/report/operator.rb:177. This could allow for SQL injection. The issue affects authenticated users and could potentially grant them database access. Recommendations Update to version 17.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** fast-xml-parser versions 4.1.3 through 5.3.5 **Description** fast-xml-parser has a flaw in how it handles DOCTYPE entity names during XML parsing. Specifically, a dot (.) within an entity name is treated as a regex wildcard during entity replacement. This allows an attacker to shadow or override built-in XML entities such as (<, >, &, ", ') with arbitrary values, bypassing entity encoding. This can lead to Cross-Site Scripting (XSS) when the parsed output is rendered, or potentially to information disclosure or Server-Side Request Forgery (SSRF). The issue exists in both versions 5 and 6 of the library. The parser constructs regular expressions dynamically from untrusted DOCTYPE entity names. An entity name like 'l.' creates a regex that matches any character, effectively shadowing the '<' entity. The vulnerability affects applications parsing untrusted XML and using the output in injection-sensitive contexts. Approximately 40 million weekly npm downloads are affected. **Recommendations** Update fast-xml-parser to version 5.3.5 or later.