Posix

**Name of the Vulnerable Software and Affected Versions** wire-webapp versions prior to 2022-03-30-production.0 **Description** The issue is related to insufficient escaping in markdown "code highlighting" in the wire-webapp, which allows the possibility of injecting and executing arbitrary HTML code and thus also JavaScript. If a user receives and views a malicious message, arbitrary code is injected and executed in the context of the victim, allowing the attacker to fully control the user account. Wire-desktop clients connected to a vulnerable wire-webapp version are also vulnerable to this attack. **Recommendations** For wire-webapp versions prior to 2022-03-30-production.0, update to docker tag 2022-03-30-production.0-v0.29.2-0-d144552 or wire-server 2022-03-30 (chart/4.8.0) to resolve the issue. As a temporary workaround, consider restricting access to the markdown "code highlighting" feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** pathval versions prior to 1.1.1 **Description** The issue is related to prototype pollution, which affects the pathval package. This type of issue can occur when an application does not properly validate user input, allowing an attacker to pollute the prototype of an object, potentially leading to security vulnerabilities. **Recommendations** For versions prior to 1.1.1, update to version 1.1.1 or later to resolve the issue. As a temporary workaround, consider implementing input validation to prevent prototype pollution. Restrict access to sensitive functions and variables to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** json-pointer versions prior to 0.6.1 **Description** The issue affects the json-pointer package, where multiple references of an object using a slash are supported. **Recommendations** For versions prior to 0.6.1, update to version 0.6.1 or later to resolve the issue.